Specialists from Cisco Talos have been actively tracking several malicious campaigns that use Netsupport Rat for persistent attacks. These campaigns are able to avoid detection by using obfuscation techniques and frequent updates.
In November 2023, security vendors discovered a new campaign utilizing Netsupport Rat, which employed fake browser updates to trick users into downloading and executing malicious code. This code then carries out PowerShell commands to install the Netsupport agent on the victim’s system to ensure continuity of the attack.
By January 2024, researchers at Esentire had released another analysis of the same campaign, highlighting changes in the initial JavaScript code and the installation pathways of the agent. These alterations indicate the attackers’ efforts to enhance their evasion and obfuscation methods.
Cisco Talos conducted its own examination and uncovered numerous tactics employed by the campaign for obfuscation and evasion. Armed with this knowledge, accurate detection tools were developed to aid users in protecting themselves. Talos leverages open-source tools like Snort and ClaMav to create effective detection and protection mechanisms.
Netsupport Manager has been in use since 1989 for remote device control, but since 2017, cybercriminals have repurposed it for their own illicit activities. The shift to remote work during the 2020s saw a rise in the exploitation of Netsupport Rat in phishing attacks and other cybercrimes.
Malicious payloads can be distributed through various methods such as malicious ads, iframes, or scripts embedded in websites. Additionally, vulnerabilities in browsers or plugins like Flash or Java can be exploited to silently install malware without the user’s knowledge.
These attacks aim to steal personal data, banking information, deploy spyware, or carry out other illegal actions. The primary defense against such threats is to regularly update browsers and plugins, utilize antivirus software, and avoid visiting dubious websites.