Attackers deliver a NetSupport payload through malicious MSIX packages preconfigured to contact an attacker-controlled manager. The sample update_12_06_2024_5903695.msix contains the NetSupport client and a PowerShell-based dropper that opens a Chrome download page, unpacks the payload with 7-zip, and connects to a HTTPS C2 at 38.135.52.140.
Read more: https://isc.sans.edu/diary/rss/31018
Read more: https://isc.sans.edu/diary/rss/31018
Keypoints
- Malicious MSIX packages are used to drop a NetSupport client configured for attacker-controlled C2.
- The sample MSIX (update_12_06_2024_5903695.msix) contains all components to download and install NetSupport, including launcher and helper tools.
- The dropper opens a Chrome download page to lure the user before proceeding with installation.
- The NetSupport client is packaged in double-compressed archives (client2.7z and client1.7z) to evade detection.
- The C2 is hosted at a remote HTTPS server (IP 38.135.52.140) and uses a shared key to encrypt communications.
- Configuration details (client32.ini) reveal the NetSupport Manager address and related parameters, including a checksum mechanism for integrity.
- NetSupport has a history of being repurposed by attackers, highlighting its low-cost, effective remote-access capabilities for intrusions.
MITRE Techniques
- [T1059.001] PowerShell – The dropper uses a PowerShell script to orchestrate the download and execution, e.g., “Start-Process $path”.
- [T1071.001] Web Protocols – The C2 communications occur over HTTPS to a remote server, e.g., “The C2 server (down at this time) is 38.135.52.140 and uses HTTPS.”
- [T1082] System Information Discovery – The dropper queries the system to determine environment, e.g., “Get-WmiObject Win32_ComputerSystem | Select-Object -ExpandProperty Domain”.
- [T1027] Obfuscated/Compressed Files and Information – The NetSupport client is double-compressed in client2.7z and client1.7z, with portable 7-zip tools used to unpack.
Indicators of Compromise
- [Hash] update_12_06_2024_5903695.msix – e77bd0bf2c2f5f0094126f34de49ea5d4304a094121307603916ae3c50dfcfe4
- [IP] 38.135.52.140 – C2 server address used by the NetSupport client over HTTPS
- [URL] https://www.google.com/intl/en_en/chrome/ – lure page opened by the dropper to facilitate infection
- [File] client32.ini – NetSupport Manager configuration containing IPs and settings used by the payload
- [File] client2.7z – part of the double-archive payload
- [File] client1.7z – part of the double-archive payload
Read more: https://isc.sans.edu/diary/rss/31018