Researchers at FireEye have spotted a hacking campaign leveraging compromised websites to spread fake updates for popular software that were also used to deliver the NetSupport Manager RAT.
NetSupport is an off-the-shelf RAT that could be used by system admins for remote administration of computers. In the past, crooks abuse this legitimate application to deploy malware on victim’s machines.
Researchers at FireEye have spotted a hacking campaign that has been active for the past few months and that has been leveraging compromised websites to spread fake updates for popular software (i.e. Adobe Flash, Chrome, and FireFox) that were also used to deliver the NetSupport Manager remote access tool (RAT).
“Over the last few months, FireEye has tracked an in-the-wild campaign that leverages compromised sites to spread fake updates. In some cases, the payload was the NetSupport Manager remote access tool (RAT).” reads the analysis published by FireEye.
“The operator behind these campaigns uses compromised sites to spread fake updates masquerading as Adobe Flash, Chrome, and FireFox updates.”
“since the malware uses the caller and callee function code to derive the key, if the analyst adds or removes anything from the first or second layer script, the script will not be able to retrieve the key and will terminate with an exception.” continue the analysis.
The step2 function collects and encodes various system information, then sends it to the server: architecture, computer name, user name, processors, OS, domain, manufacturer, model, BIOS version, anti-spyware product, anti-virus product, MAC address, keyboard, pointing device, display controller configuration, and process list.
The server then responds with a function named step3 and Update.js, which it the script to downloads and executes the final payload.
- 7za.exe: 7zip standalone executable
- LogList.rtf: Password-protected archive file
- Upd.cmd: Batch script to install the NetSupport Client
- Downloads.txt: List of IPs (possibly the infected systems)
- Get.php: Downloads LogList.rtf
The script performs the following tasks:
- Extract the archive using the 7zip executable with the password mentioned in the script.
- After extraction, delete the downloaded archive file (loglist.rtf).
- Disable Windows Error Reporting and App Compatibility.
- Add the remote control client executable to the firewall’s allowed program list.
- Run remote control tool (client32.exe).
- Add Run registry entry with the name “ManifestStore” or downloads shortcut file to Startup folder.
- Hide the files using attributes.
- Delete all the artifacts (7zip executable, script, archive file).
Attackers use the NetSupport Manager to gain remote access to the compromised systems and control it.
Further details, including the IOCs are reported in the analysis.
(Security Affairs – NetSupport RAT, hacking)