Researchers at ASEC recently reported on a NetSupport RAT campaign that utilizes Pokemon as the social engineering lure. Threat actors staged a malicious website, hosting a Pokemon-based NFT game, offering both a fun and financially rewarding experience. In reality, those drawn into the site are coerced into downloading the trojanized NetSupport RAT client, allowing attackers full access to their device.
NetSupport RAT has been observed in numerous attacks on enterprise environments over the years, and Pokemon is just the latest in a long line of creative lures used to distribute and drop NetSupport RAT. It is frequently used by cybercriminals as a ‘quick solution’ in lieu of implementing something more bespoke.
In this post, we provide an overview of NetSupport RAT and discuss the technical details of a recent campaign.
NetSupport RAT is based on NetSupport Manager, a legitimate tool which is frequently used by bad actors for malicious purposes in ways similar to TeamViewer. NetSupport Manager, used maliciously or otherwise, provides full and complete control over the target device. Once the client has been installed, attackers can access, acquire, and manipulate any data on the device (exfiltrate data, execute additional payloads). In addition, the software allows at least the following:
Malicious versions are constantly being sold or rented out via underground crime marketplaces.
As NetSupport Manager is a legitimate tool that has a long history of development, it is highly attractive to attackers as it can be relied on to work ‘out of the box’. Additionally, it is thoroughly documented and actively supported: benefits that are less likely with custom-built malware that provides similar functionality such as Andromeda, Nanocore, CirenegRAT, Dark Comet and others.
Malicious use of NetSupport Manager (aka NetSupport RAT) has been observed since at least late 2017. The use of “legitimate” or COTS (Commercial off the Shelf) tools is highly beneficial to attackers when attempting to achieve the greatest degree of stealth. Custom-written malware can often be detected by some layer of protection, such as EPP and EDR tools, so it is often advantageous to utilize a legitimate tool, even if it takes some creativity to deliver the remote software client.
ASEC reported that the NetSupport RAT droppers were delivered via phishing emails that entice targets to install a “Pokemon card game”. On doing so, the victim unknowingly installs the NetSupport RAT, a doctored version of the NetSupport Manager client (
client32.exe) that gives the attacker immediate and direct control of the infected device. While this specific attack was centered around the Pokemon theme, other phishing lures are known to be used.
Some recent NetSupport RAT campaigns utilize
.ISO files as droppers. This allows the attackers to evade certain types of detection. This technique has been used by ransomware actors as well such as by both Maze and Ragnar Locker.
When opened, the ISO files will contain either the NetSupport RAT installer (with configs/support files) or a .LNK file redirecting the victim to said installer.
A typical example of this kind of
.ISO file is the sample
.ISO contains an embedded
.EXE file (
CLFSECUR.EXE) which is then utilized to drop and execute the installer for NetSupport RAT.
4233ff7941da62b86fc2c2d92be0572c9ab534c8 has been observed in multiple ISO files masquerading as legitimate software, including:
The RAT installation is disguised to look similar to a Google Chrome installation.
The sample is obfuscated via the Babadeda crypter. When executed, a base64 encoded string is used to specify various parameters including sessionID and other critical values to the NetSupport connection.
The command decodes to look similar to the following:
Persistence for the RAT is achieved via registry entry, and a shortcut to the installed RAT executable is written to the Startup folder. For example:
In this case, the shortcut links to
\AppData\Roaming\Steelray Project Viewer. In addition, the sample generates a scheduled task with multiple triggers.
The RAT performs a number of discovery operations to understand its host environment. Network adapter details are pulled via
GetAdaptersAddresses. Additional data is gleaned via WMI queries such as:
SELECT * FROM Win32_ComputerSystem SELECT * FROM Win32_SystemEnclosure
The malware deploys some anti-analysis measures such as attempting to detect the presence of a debugger via IsDebuggerPresent, and all running processes are enumerated and logged via EnumProcesses (32-bit processes). Launch behavior, including delays in execution or outgoing connection, can be controlled by the attacker. For example,
Sleep statements may be used to delay execution by hours in order to trick sandboxes used in malware analysis or simply to disguise the association between the infection and the social engineering event from the user.
Network requirements vary across different NetSupport Manager configurations and sessions. In the analyzed sample, the client opens a port on TCP 50275 to receive network connections.
NetSupport RAT has the ability to drop and execute additional components. In this particular campaign, system/log data and executable code is dropped into
Data files and executables are also written to
~\Program Files (x86) \Google\Temp. These files are all self-deleted after launch or full installation of the attacker configuration. A large number of legitimate Google Chrome support files are also written to this location. These are used by the malware in order to facilitate the fake Google Chrome installation.
NetSupport Manager is a long-standing tool which, like TeamViewer, has unfortunately attracted ample use by cybercriminals. NetSupport RAT, once installed, is very robust and powerful, and threat actors are able to masquerade the dropper or installer in any way they see fit. In addition, threat actors using this tool are very quick to update their lures and find ways to entice their victims into installing the malicious remote control software.
SentinelOne Singularity™ provides protection against malicious behaviors associated with NetSupport RAT.
T1219 – Remote Access Software
T1053.005 – Scheduled Task/Job: Scheduled Task
T1047 – Windows Management Instrumentation
T1564.001 – Hide Artifacts: Hidden Files and Directories
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1564.003 – Hide Artifacts: Hidden Window
T1036 – Masquerading
T1112 – Modify Registry
T1406.002 – Obfuscated Files or Information: Software Packing
T1049 – System Network Connections Discovery
T1083 – File and Directory Discovery
T1057 – Process Discovery
T1012 – Query Registry
T1571 – Non-Standard Port