Gotta Catch ‘Em All | Understanding the NetSupport RAT Campaigns Hiding Behind Pokemon Lures

MITRE Techniques

• [T1219] Remote Access Software – NetSupport RAT based on NetSupport Manager provides full and complete control over the target device. Quote: “NetSupport Manager, used maliciously or otherwise, provides full and complete control over the target device.”
• [T1053.005] Scheduled Task/Job: Scheduled Task – The sample generates a scheduled task with multiple triggers. Quote: “a scheduled task with multiple triggers.”
• [T1047] Windows Management Instrumentation – Network adapter details are pulled via GetAdaptersAddresses; data gleaned via WMI queries: “SELECT * FROM Win32_ComputerSystem SELECT * FROM Win32_SystemEnclosure”
• [T1564.001] Hide Artifacts: Hidden Files and Directories – The campaign drops data/executables into %temp% and Google Temp locations for stealth. Quote: “Data files and executables are also written to %temp%. These files are all self-deleted after launch or full installation of the attacker configuration.”
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence via registry entry and a Startup folder shortcut (e.g., ~AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupNetSupport.url). Quote: “Persistence for the RAT is achieved via registry entry, and a shortcut to the installed RAT executable is written to the Startup folder.”
• [T1564.003] Hide Artifacts: Hidden Window – The RAT installation is disguised to look similar to a Google Chrome installation. Quote: “The RAT installation is disguised to look similar to a Google Chrome installation.”
• [T1036] Masquerading – Disguise as legitimate software (e.g., Google Chrome installer). Quote: “The RAT installation is disguised to look similar to a Google Chrome installation.”
• [T1112] Modify Registry – Registry-based persistence via Run Keys; startup shortcut. Quote: “Persistence for the RAT is achieved via registry entry, and a shortcut to the installed RAT executable is written to the Startup folder.”
• [T1406.002] Obfuscated Files or Information: Software Packing – The sample is obfuscated via the Babadeda crypter; base64-encoded parameters used for the NetSupport connection. Quote: “The sample is obfuscated via the Babadeda crypter. When executed, a base64 encoded string is used to specify various parameters including sessionID and other critical values to the NetSupport connection.”
• [T1049] System Network Connections Discovery – The client opens a port on TCP 50275 to receive network connections. Quote: “the client opens a port on TCP 50275 to receive network connections.”
• [T1083] File and Directory Discovery – Discovery of host environment; includes GetAdaptersAddresses and WMI queries. Quote: “The RAT performs a number of discovery operations to understand its host environment.”
• [T1057] Process Discovery – Process enumeration (EnumProcesses 32-bit). Quote: “EnumProcesses (32-bit processes).”
• [T1012] Query Registry – Uses registry-based persistence and Run Keys/Startup Folder. Quote: “registry Run Keys / Startup Folder.”
• [T1571] Non-Standard Port – Uses non-standard network port for C2 (e.g., TCP 50275). Quote: “Non-Standard Port”