Cisco Talos is monitoring campaigns that use NetSupport RAT to achieve persistent infections, with obfuscation and updates aimed at evading detection. The piece outlines detection approaches using Snort and details the staged JavaScript and PowerShell dropper that delivers the NetSupport Manager Agent. #NetSupportRAT #NetSupportManager #PowerShell #JavaScript #Snort #DriveByDownload #Talos
Keypoints
- Cisco Talos is tracking multiple malware campaigns that use NetSupport RAT for persistent infections.
- Campaigns evade detection through obfuscation and updates to the stagers and payloads.
- Stage 1 is a JavaScript stager downloaded from malicious ads or compromised sites, obfuscated and embedded in benign libraries.
- Stage 2 is a PowerShell dropper that retrieves a base64-encoded ZIP containing the NetSupport Manager Agent and establishes persistence via the registry.
- NetSupport RAT has been weaponized since 2017 and shows increased usage in phishing and drive-by download campaigns.
- Detection strategies include fast pattern-only Snort rules, Snort 3 file rules, and behavior-based detection via Sigma rules.
MITRE Techniques
- [T1059.001] PowerShell – PowerShell commands are invoked to download and execute the NetSupport Manager agent. “PowerShell commands are invoked to download and execute the NetSupport Manager agent.”
- [T1547.001] Registry Run Keys / Startup Folder – Registry entries are created to establish persistence for the NetSupport Manager agent on login. “Registry entries are created to establish persistence for the NetSupport Manager agent on login.”
- [T1027] Obfuscated Files or Information – JavaScript and PowerShell payloads are obfuscated to evade detection. “JavaScript and PowerShell payloads are obfuscated to evade detection.”
- [T1071.001] Application Layer Protocol: Web Protocols – Malicious payloads are downloaded via HTTP GET requests. “Malicious payloads are downloaded via HTTP GET requests.”
- [T1041] Exfiltration Over C2 Channel – Data may be exfiltrated through the established command and control channel. “Data may be exfiltrated through the established command and control channel.”
Indicators of Compromise
- [File Name] client32.exe – main executable of the NetSupport Manager agent
- [Archive] base64-encoded ZIP containing the NetSupport Manager Agent payload – used during Stage 2
- [Registry Key] Run Keys / Startup Folder – registry persistence mechanism on login
- [URL] Stage 1/Stage 2 delivery – Stage 1 download URL embedded in JavaScript from malicious ads or compromised sites; Stage 2 payload retrieved via HTTP GET
Read more: https://blog.talosintelligence.com/detecting-evolving-threats-netsupport-rat/