NetSupport RAT Infections on the Rise - Targeting Government and Business Sectors

Cyber Security Threat Summary:
According to Cybersecurity firm VMware Carbon Black, NetSupport RAT infections have been on the rise, with researchers detecting no less than 15 new infections in the last couple of weeks. NetSupport RAT is a remote access trojan that started off as a legitimate remote administration tool to provide users with technical support. However, threat actors have misused the tool to carry out malicious operations. NetSupport RAT is typically distributed in the form of a ZIP archive file. Once executed, researchers note that it can be leveraged by actors to monitor victim activity, transfer files, manipulate computer settings, and move laterally to other devices on the network.

Security Officer Comments:
Based on infections observed, the trojan is being used to target victims in the education, government, and business services sectors. According to researchers, NetSupport RAT is typically downloaded on the victim’s system using deceptive websites and fake browser updates. In the past, compromised WordPress sites were leveraged to display fake Cloudflare DDoS Protection pages, ultimately leading to the distribution of NetSupport RAT. Threat actors are likely using similar tactics in the latest campaign to infect unsuspecting victims.

Suggested Correction(s):
Users should avoid downloading software from third-party sites and should exclusively refer to the official vendor’s website to ensure authenticity. Updates for browsers like Chrome can be accessed directly via the browser (typically an “update’ button is shown on the top right corner of Chrome, whenever there is a new update). As such a site promoting browser updates should be seen as a red flag and avoided at all costs.