The latest cybersecurity trends, best practices, security vulnerabilities, and more
Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAT
Trellix detected an ongoing campaign using fake Chrome browser updates to lure victims to install a remote administration software tool called NetSupport Manager. Malicious actors abuse this software to steal information and take control of victim computers. The detected campaign has similarity with previously reported SocGholish campaign, which was run by a suspected Russian threat actor. However, the link to SocGholish is not conclusive, and there are differences in the tools used.
This blog will discuss the detected campaign and the tactics used to deliver the final payload to victims, similarities, and differences with previously reported campaigns.
Joseph Tal, senior vice president of Trellix Advanced Research Center, said that “Chromium with 63.55% of market share is now the de facto most targeted browser for NetSupport RAT attacks, due to the global usage. Most large enterprise are using the Chromium browser as the main tool for web applications. I am concerned about low efficacy endpoint solutions that are unable to detect the types of attacks. Board room discussions should include this increasing attack surface as part of cyber’ discussions. Organisations need holistic global threat intelligence and innovative security solutions to get the governance and tools needed to reduce the cyber risk.”
Compromised sites may be identified by searching for the path, ‘/cdn-js/wds.min.php’. The success of this campaign depends on the reach of the compromised website. From Trellix telemetry, we found a recent compromise of a Chamber of Commerce website that has traffic from the Federal Government, financial institutions, and consulting services. The site is already cleaned of the injected script and was compromised for at least a day.
The injected script in the compromised website leads to a fake browser update page as in Figure 2. This fake browser update theme leading to a NetSupport RAT is not new and was reported years ago. This lure was also used by SocGholish , where it also leads to the installation of NetSupport RAT. However, there is no conclusive evidence found to connect this current campaign to SocGholish.
The notable difference between the reported SocGholish campaign and the current one is in the tools used. SocGholish used PowerShell with WMI functionality to download and install the RAT. By contrast, this current campaign uses batch files (.BAT), VB scripts and the Curl tool instead of PowerShell scripts to download components and the RAT payload. This is described in detail in the following section.
The second stage script named, “Chrome_update.js”, is a downloader. It downloads a batch file, “1.bat”, in the local ‘C://ProgramData’ folder and executes it.
In Figure 6, the batch file “1.bat” drops VBScript and batch files. The VBScript files are still in development or act as a dummy as it is noted that the “Wscrit.Arguments” is misspelled and the scripts are not executed. By contrast, the batch files are executed and use “curl” to download further components. These components are the portable 7-zip file archiver, NetSupport Manager RAT software package, and finally the batch file, “2.bat”, to install and execute the RAT.
The NetSupport Manager RAT is extracted using the downloaded 7-zip utility and executed through scheduled tasks in the victim computer by the downloaded “2.bat” file. This batch file is also responsible for creating the persistence mechanism of the RAT to be executed upon system startup.
Looking at the configuration file of the RAT, “client32.ini”, the gateway address is set to 184.108.40.206. At this point, in which the RAT is downloaded and installed in the victim computer, the threat actors have gained almost complete control of the victim machine. They can now install more malware, exfiltrate data, scan the network and move laterally.
Various threat actors may employ almost similar techniques in their attacks if those techniques work and prove effective. In this campaign, we have observed that threat actors continue to actively use the lure of a fake browser update, which had been utilized in different attacks.
The abuse of readily available RATs continues as these are powerful tools capable of fulfilling the adversaries’ needs to carry out their attacks and achieve their objectives. While these RATs may not be constantly updated, the tools and techniques to deliver these payloads to potential victims will continue to evolve.
Threat actors continually update their TTPs to evade detection. They use available tools in the target environment to avoid unnecessary download and creation of custom components. They also use text-based or scripting languages that can be obfuscated in different ways, posing a challenge in creating static detection. In this campaign, a combination of native Windows OS scripting languages such as VBScript and Batch script were used together, along with the popular data transfer tool, curl, which has been available in Windows since 2017.
Trellix Network Security
Trellix Cloud MVX
Trellix File Protect
Trellix Detection As A Service
Suspicious Network Activity
Suspicious Process Informational Creating Schedule Tasks
Suspicious Process Launching Activity
Potentially unwanted program NetSupportRAT.a (ED)
NetSupport manager files
Feb 21, 2024
Trellix Named to Constellation ShortLists for XDR and Endpoint Protection Platforms
Feb 15, 2024
Trellix to Host AI and Cybersecurity Virtual Summit
Feb 15, 2024
Trellix to Host Public Sector Cybersecurity Summit
Feb 9, 2024
Trellix Named a Leader in IDC MarketScape for Modern Endpoint Security for Midsize Businesses
Jan 25, 2024
Trellix Achieves AWS Small and Medium Business Competency
The latest from our newsroom
Trellix’s market-leading endpoint security solution delivers comprehensive threat management.
In this blog, we present multiple attack scenarios focused on lateral movement, including abuse of weak service permissions to execute code, dumping and exfiltrating credential material from Active Directory.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.