AhnLab’s ASEC reports NetSupport RAT distributed via spear phishing emails and phishing pages disguised as invoices, shipment documents, and purchase orders. The campaign uses a malicious JavaScript in a ZIP attachment that, once executed, downloads and runs a PowerShell payload from a C2, with AMSI-based detection enabling observation of the infection flow. #NetSupportRAT #AhnLab #ASEC #mjventas #qualityzer #PowerShell #AMSI
Keypoints
- NetSupport RAT is distributed through spam emails and phishing pages masquerading as invoices, shipment documents, and purchase orders.
- A spear phishing email delivers a ZIP attachment scan16431643.zip containing a malicious JavaScript named scan16431643.js.
- The JavaScript checks internet connectivity by connecting to three websites and terminates if the connection fails.
- On a successful connection, the malware downloads and executes an additional PowerShell script from the C2, with code obfuscated.
- The downloaded PowerShell script fetches NetSupport RAT (client32.exe) and saves it in a TimeUTCSync_(Random) folder under AppData, registering a registry key for persistence at boot.
- AMSI is used to decrypt data from obfuscated JavaScript, revealing Powershell commands and the C2 address for connection attempts.
- EDR process traces show the PowerShell script execution and that the additional script is executed without being copied to a local directory.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Attachment – The attack uses a ZIP attachment containing a malicious JavaScript file named ‘scan16431643.js’ to deliver NetSupport RAT. Quote: “The attached compressed file (scan16431643.zip) contains a malicious javascript with the file name ‘scan16431643.js’.”
- [T1059.007] JavaScript – Execution of JavaScript in the attachment (scan16431643.js) to initiate the infection. Quote: “The attached compressed file (scan16431643.zip) contains a malicious javascript with the file name ‘scan16431643.js’.”
- [T1027] Obfuscated/Compressed Files and Information – Some strings in the JavaScript are obfuscated. Quote: “Some strings are obfuscated. It connects to 3 normal websites to check the internet connection of the victim.”
- [T1059.001] PowerShell – The malware downloads and executes a PowerShell script from the C2. Quote: “When the connection is successful, the malware connects to the C2 and downloads and executes an additional Powershell script.”
- [T1105] Ingress Tool Transfer – The PowerShell script from the C2 downloads additional payload. Quote: “downloads and executes an additional Powershell script from the C2.”
- [T1547.001] Registry Run Keys/Startup Folder – NetSupport RAT is registered in a registry key to ensure startup persistence. Quote: “registers it to a registry key to ensure that it is automatically executed when the system is booted up.”
- [T1562.001] Impair Defenses – AMSI is used to decrypt data from obfuscated JavaScript to reveal the C2 address. Quote: “AMSI… allows application programs to be integrated with antivirus products.” and “even obfuscated javascript scripts can yield decrypted data such as Powershell commands and the C2 address…”
- [T1071.001] Web Protocols – C2 communication uses web URLs to download scripts (mjventas.com/reconts.php and qualityzer.com/index1.php). Quote: “C2 address to attempt connection to (‘mjventas.com/reconts.php’)” and “For downloading an additional Powershell script” / “For downloading NetSupport RAT”
Indicators of Compromise
- [URL] context – https://mjventas[.]com/reconts[.]php and https://qualityzer[.]com/index1[.]php, used for downloading scripts
- [Domain] context – mjventas.com, qualityzer.com
- [File Name] context – scan16431643.zip, scan16431643.js, client32.exe
- [File] context – Trojan/JS.Agent.SC189783 (2023.06.15.02) (file detection)
Read more: https://asec.ahnlab.com/en/55146/