Security analytics and operations management platform Securonix recently published details on a tricky new malware campaign they named JS#SMUGGLER. This attack delivers a powerful tool known as NetSupport RAT, giving hackers complete, secret control over victims’ computers.
Securonix’s Threat Research team, including analysts Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee, conducted the analysis, which was shared with Hackread.com.
The Three-Step Infection
The entire attack is designed in three stages to make sure security systems don’t notice it. The process begins when a user simply visits a compromised website. The first step uses an obfuscated JavaScript loader. Obfuscation means the hackers purposely jumble their code, even hiding the malicious instructions among thousands of random words in comment blocks, to fool security checks.
This script, typically loaded from sites like boriver.com, is programmed to check if the user is on a desktop or a mobile device. If it detects a desktop, it proceeds with the full infection. Researchers noted that the script also uses a clever trick to run only once per user, which helps keep the operation quiet before fetching the next stage from domains like stoneandjon.com.
The second step involves a secret HTML Application (HTA). This HTA runs completely unseen using a standard Windows program called mshta.exe. Inside this HTA is the next part of the code, which is heavily protected through multiple layers of encryption: AES-256-ECB, Base64, and GZIP compression. This complex setup ensures the program only appears fully decoded in the computer’s memory, which means it never writes the main infection file to the hard drive, where antivirus programs could easily find it.
NetSupport RAT: Final Takeover
The third step involves installing the final program: NetSupport RAT. It is worth noting that NetSupport Manager is a real tool for IT professionals. However, as we know it, when hackers use it for bad purposes, it becomes a Remote Access Trojan (RAT).
Securonix confirmed that the goal of this entire chain is full and long-lasting remote access. Once running, the RAT lets the hacker take full remote desktop control, browse and steal files, run commands, and conduct surveillance. The PowerShell code in this stage pulls a compressed file from a domain like kindstki.com.
To make the malware permanent, the hackers extract the files into a normal-looking folder like C:ProgramDataCommunicationLayer and create a fake Startup shortcut, for example, named WindowsUpdate.lnk. This shortcut guarantees the RAT starts up automatically every time the victim logs in, showing this is an active and highly professional malware operation.
Given the multi-layered tactics used in this JS#SMUGGLER campaign, caution is essential for all internet users. To protect yourself from such threats, please carefully validate all software downloads and strengthen your endpoint defences to detect suspicious script activity and unauthorised process execution.