Keypoints
- NetSupport RAT is a maliciously altered version of the legitimate NetSupport Manager remote-administration tool.
- The RAT has been observed in at least two large campaigns since its emergence in 2023.
- Researchers initially identified nine domain IoCs; WHOIS lookups reduced the analyzable set to seven domains with current WHOIS details.
- WHOIS and historical WHOIS analysis expanded artifacts to include 239 email-connected domains, 1,010 registrant-connected domains, three malicious IP addresses, and two string-connected domains.
- The seven domain IoCs were registered across five registrars (GoDaddy.com LLC administered three) and were created between 2002 and 2024, with registrants primarily in the U.S., plus India and Vietnam.
- Reverse WHOIS and Domain Research Suite queries uncovered 12 historical email addresses (four public), 17 email-connected domains from current records, and 222 additional domains from historical records linked to those public emails.
- Sample artifacts and a full dataset are available for download from the WhoisXML API report referenced by researchers.
MITRE Techniques
- [T1219] Remote Access Tools β NetSupport RAT was used to provide remote access and control of compromised systems (βNetSupport RAT utilized for remote access and control of compromised systems.β)
- [T1483] Domain Generation Algorithms β Attackers used domain names and registrant patterns as IoCs and evasion mechanisms (βUse of domain names as IoCs to evade detection.β)
- [T1003] Credential Dumping β WHOIS-derived email addresses were investigated and used as pivot points to find additional connected domains, potentially enabling further credential-based reconnaissance (βPotential use of email addresses from WHOIS records for further attacks.β)
Indicators of Compromise
- [Domains] domain IoCs β nine initial domains identified (seven with current WHOIS records); see the Cisco Talos IOC list (https://github.com/Cisco-Talos/IOCs/blob/main/2024/08/detecting-evolving-threats-netsupport-rat.txt) and the WhoisXML API report for samples.
- [Email addresses] WHOIS-linked emails β 12 unique historical email addresses (four public) used to find connected domains; examples not published in the article, see WhoisXML API report for details.
- [Registrant-connected domains] registrant pivot artifacts β 1,010 domains linked to the original registrants (sample artifacts available via the WhoisXML API report).
- [IP addresses] malicious IPs β three IP addresses were identified as malicious (specific IPs not listed in the article).
- [String-connected domains] textual associations β two string-connected domains discovered (specific domains not listed in the article).
NetSupport RAT is a weaponized build of the legitimate NetSupport Manager and has been active in multiple large campaigns since 2023. Researchers began with nine domain IoCs tied to the campaign and, after bulk WHOIS lookups, narrowed the immediate set to seven domains that had current WHOIS records suitable for deeper analysis.
Using WHOIS History API queries, analysts extracted 12 unique historical email addresses (four public) from those domains. Reverse WHOIS and Domain Research Suite searches expanded connected artifacts to 17 current email-connected domains and 222 additional domains in historical records; broader pivots returned 239 email-connected domains, 1,010 registrant-connected domains, three malicious IPs, and two string-connected domains. The seven primary IoCs were spread across five registrars (GoDaddy.com LLC managed three) and were created between 2002β2024, with registrants mainly in the U.S., plus entries in India and Vietnam.
The practical analysis flow was: collect initial IoCs (domains) from published research, perform bulk WHOIS to identify current records, query WHOIS History to surface historical emails, run reverse WHOIS and DRS searches on public emails to enumerate connected domains, and collate registrant and IP pivots to build a larger artifact set for threat hunting and IOC sharing. Sample artifacts and the complete dataset are available from the referenced WhoisXML API research report.
Read more: https://circleid.com/posts/a-dns-deep-dive-into-the-netsupport-rat-campaign