Netsupport Rat Uses Social Engineering Toolkits

Cyble Research & Intelligence Labs noticed threat actors using Fake Browser Update, SocGholish to deliver the NetSupport RAT.

SocGholish is active since 2017. It is a JavaScript malware framework where “Soc” refers to the use of social engineering toolkits masquerading as software updates to deploy malware on a victim’s system

Researchers pointed out that this malware campaign uses various ‘Social Engineering’ themes that imitate browser and program updates which include Chrome/Firefox, Flash Player, and Microsoft Teams.

Drive-By-Download Mechanism

The threat actors allegedly lured users to a Chrome update using a drive-by-download mechanism. Attackers host a malicious website (the site displays content to lure end-users with critical browser updates) implements drive-by-download mechanism to download an archive file that contains malware.

Https://I0.Wp.com/Blog.cyble.com/Wp-Content/Uploads/2022/09/Figure-1-Infection-Chain-Of-Socgholish.jpg?Resize=982%2C250&Amp;Ssl=1
Infection Chain Of Socgholish

Once downloaded, the threat actor deployed an array of trojan and malware attacks, such as Cobalt Strike framework, ransomware, and others.

Publicité
Https://I0.Wp.com/Blog.cyble.com/Wp-Content/Uploads/2022/09/Figure-2-%E2%80%93-Fake-Update-Page-Of-Chrome-Browser.jpg?Resize=908%2C772&Amp;Ssl=1
Fake Update Page Of Chrome Browser

Upon clicking the “Update” button on the fake page, an archive file named “Сhrome.Updаte.zip” is downloaded and saved in the “Downloads” folder. Also, downloaded zip archive file contains a heavily-obfuscated JavaScript file named “AutoUpdater.js”.

Researchers say after the execution of the JavaScript file, it launches a PowerShell command to download and execute an additional PowerShell script from the remote server.

Https://I0.Wp.com/Blog.cyble.com/Wp-Content/Uploads/2022/09/Figure-4-Powershell-Script-To-Drop-Netsupport-Rat.jpg?Resize=988%2C432&Amp;Ssl=1
Powershell Script To Drop Netsupport Rat

NetSupport Manager is a commercially available RAT (Remote Administration Tool) used for legitimate reasons that gives administrators remote access to user’s computers. But TAs utilizes NetSupport Manager as their primary tool to target victims using remote access.

Https://I0.Wp.com/Blog.cyble.com/Wp-Content/Uploads/2022/09/Figure-5-Netsupport-Rat-Malware-Package-Dropped-Under-The-Appdata-Directory.jpg?Resize=958%2C461&Amp;Ssl=1

NetSupport RAT malware package dropped under the %AppData% directory

It is always worthwhile to confirm whether the downloaded content originated from a legitimate source and not from any suspicious sites.

Recommendations

  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
  • Avoid downloading files from unknown websites.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Block URLs that could spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

Download Free SWG – Secure Web Filtering – E-book

Rate this post
Publicité
Article précédentLe marché des fils magnétiques devrait atteindre environ 34,49 milliards USD d’ici 2030, croître à un TCAC de 5,50% au cours de la période de prévision 2023 à 2030
Article suivantVoici le bon ordre dans lequel regarder la franchise
Avatar De Violette Laurent
Violette Laurent est une blogueuse tech nantaise diplômée en communication de masse et douée pour l'écriture. Elle est la rédactrice en chef de fr.techtribune.net. Les sujets de prédilection de Violette sont la technologie et la cryptographie. Elle est également une grande fan d'Anime et de Manga.

LAISSER UN COMMENTAIRE

S'il vous plaît entrez votre commentaire!
S'il vous plaît entrez votre nom ici