NetSupport as a RAT – The Resurgence of a Covert Threat

The NetSupport RAT has emerged as a significant cyber threat, exploiting legitimate remote administration tools for malicious purposes. This report provides an in-depth analysis of recent incidents, targets, and the tactics employed by the threat actors, emphasizing their impact and operational methods.

Recent Infections and Targets

  • Educational Institutions: Schools and universities have been primary targets. For instance, in a recent attack, a university in the UK was targeted through a phishing campaign that led to the installation of NetSupport RAT. This resulted in the compromise of sensitive student and staff data.
  • Government Entities: Government agencies have also been targeted. A notable case involved a local government office in Australia, where the RAT was deployed via a fake software update, leading to significant data breaches.
  • Business Services: A large corporation in the financial sector fell victim to a sophisticated NetSupport RAT attack, originating from a compromised website. This incident led to the unauthorized access of confidential client information and financial data.

In each of these cases, the attackers were partially successful, achieving initial penetration and data access, but were eventually detected and mitigated before causing more severe damage.

Source: Mandiant’s Analysis of NetSupport RAT

Further examples of NetSupport in Cybersecurity Incidents

  1. Healthcare Sector Breach (2021): A large hospital in the United States was hit by a NetSupport RAT attack, which led to the theft of patient records and confidential health information. The attack vector was a phishing email disguised as a COVID-19 update.
  2. Attack on a Tech Company (2022): A prominent tech firm experienced a breach where NetSupport RAT was deployed through a malicious software update notification. This resulted in the loss of proprietary technology data and interruption of services.
  3. Financial Sector Incident (2023): In a recent high-profile case, a European bank’s network was compromised using NetSupport RAT, delivered through a spear-phishing campaign. The attack led to a temporary shutdown of online banking services and data exfiltration.

Each incident highlights the RAT’s versatility and the sophistication of the attackers in exploiting different vectors and sectors.

Source: CrowdStrike’s 2023 Global Threat Report

MITRE ATT&CK TTPs and Their Relevance

  1. Phishing (T1566): This technique is pivotal in the initial stages of the NetSupport RAT distribution. Threat actors use phishing emails to trick users into downloading the RAT, capitalizing on human error.
  2. User Execution (T1204): The success of the RAT often depends on user interaction, such as clicking a malicious link or opening a compromised file.
  3. Command and Scripting Interpreter (T1059): NetSupport RAT utilizes JavaScript and PowerShell for execution, highlighting the use of scripting languages in deploying the malware.
  4. Deobfuscate/Decode Files or Information (T1140): The RAT uses multi-layer obfuscation techniques to conceal its payload, requiring decoding for analysis and execution.
  5. Obfuscated Files or Information (T1027): NetSupport RAT’s use of obfuscation complicates detection by traditional antivirus software, allowing it to evade initial security measures.
  6. Application Layer Protocol (T1071): This protocol facilitates the communication between the RAT and the attacker’s command-and-control (C2) server, essential for maintaining control over the compromised system.
  7. Scheduled Task/Job (T1053): NetSupport RAT may establish persistence by creating scheduled tasks or jobs, ensuring its continued operation even after system reboots.
  8. Impair Defenses (T1562): The RAT is known to disable critical security features like Windows Error Reporting, allowing it to operate undetected for longer periods.
  9. Modify Registry (T1112): By altering registry entries, the RAT ensures automatic execution upon system startup, maintaining its presence on the infected machine.

Common Indicators

  • Suspicious Email Links: Phishing emails containing links to malicious sites.
  • Compromised Website Redirects: Drive-by download attacks originating from hacked websites.
  • Unexpected Software Update Prompts: Fake update notifications for popular software like Adobe Flash and web browsers.
  • Anomalous PowerShell Activity: Unusual PowerShell executions that could indicate the downloading or execution of malicious scripts.
  • Registry Modifications: Changes in registry entries, particularly in startup items.
  • File System Anomalies: Presence of unexpected files in the %AppData% directory, such as 7zip executables or batch scripts.

Typical Infection Paths

  1. Initial Contact: Often through a phishing email or compromised website.
  2. Download and Execution: Malicious JavaScript or PowerShell scripts are executed to download the RAT.
  3. Payload Deployment: Multi-layer obfuscated scripts deploy NetSupport RAT onto the victim’s system.
  4. Establishing Persistence: Modification of registry entries and disabling of security features.
  5. Command and Control Communication: Regular communication with the attacker’s server for further instructions and data exfiltration.

The NetSupport tool exemplifies the evolving landscape of cyber threats, where legitimate tools are repurposed for malicious intent. Understanding its deployment methods, targets, and the nature of recent attacks is crucial for developing effective cybersecurity strategies. Organisations must remain vigilant, educating their workforce and implementing robust security measures to counter such sophisticated threats.

Further Reading