Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,174
- Points
- 113
How hackers adapted legitimate software for remote management of infected devices.
Cisco Talos specialists actively monitor several malicious campaigns that use NetSupport RAT for persistent infections. These campaigns avoid detection through obfuscation and updates.
In November 2023, security vendors revealed a new NetSupport RAT campaign that used fake browser updates to trick users into downloading malicious code. This code downloads and executes PowerShell commands that install the NetSupport agent on the victim's machine to maintain persistence.
In January 2024, eSentire researchers published another analysis of the same campaign, revealing changes in the source JavaScript code and the agent installation path. These changes demonstrate the attackers desire to improve their obfuscation and evasion techniques.
Cisco Talos conducted its own analysis and identified many obfuscation and evasion techniques used in the campaign. Thanks to this knowledge, it was possible to create accurate detection tools that help users protect themselves. Talos uses open-source tools such as Snort and ClamAV to develop detection and protection methods.
NetSupport Manager has been around since 1989 and is used for remote device management. However, since 2017, attackers have started using it for their own purposes. The shift to remote work in the 2020s has led to an increase in the use of NetSupport RAT in phishing and drive-by attacks. This campaign is one of the most significant in recent years, with hundreds of variants of malicious uploaders used in a large-scale advertising campaign.
The first stage of the campaign is a JavaScript file downloaded from advertising sites or hacked resources. This file is obfuscated and contains the loader for the next stage. The second stage includes a PowerShell script that loads and runs the NetSupport agent, keeping it persistent in the system registry.
To detect the campaign, Snort rules are used, which allow you to detect malicious files and their transmission through various protocols. These rules also help you track PowerShell actions and other signs that NetSupport RAT is present.
Continuous improvement of malware and attack tactics requires continuous vigilance and adaptation from cybersecurity specialists. It is important to remember that even legitimate tools can be used by hackers, so critical thinking and caution when interacting with any online resources are now becoming key skills for every user.
Source
Cisco Talos specialists actively monitor several malicious campaigns that use NetSupport RAT for persistent infections. These campaigns avoid detection through obfuscation and updates.
In November 2023, security vendors revealed a new NetSupport RAT campaign that used fake browser updates to trick users into downloading malicious code. This code downloads and executes PowerShell commands that install the NetSupport agent on the victim's machine to maintain persistence.
In January 2024, eSentire researchers published another analysis of the same campaign, revealing changes in the source JavaScript code and the agent installation path. These changes demonstrate the attackers desire to improve their obfuscation and evasion techniques.
Cisco Talos conducted its own analysis and identified many obfuscation and evasion techniques used in the campaign. Thanks to this knowledge, it was possible to create accurate detection tools that help users protect themselves. Talos uses open-source tools such as Snort and ClamAV to develop detection and protection methods.
NetSupport Manager has been around since 1989 and is used for remote device management. However, since 2017, attackers have started using it for their own purposes. The shift to remote work in the 2020s has led to an increase in the use of NetSupport RAT in phishing and drive-by attacks. This campaign is one of the most significant in recent years, with hundreds of variants of malicious uploaders used in a large-scale advertising campaign.
The first stage of the campaign is a JavaScript file downloaded from advertising sites or hacked resources. This file is obfuscated and contains the loader for the next stage. The second stage includes a PowerShell script that loads and runs the NetSupport agent, keeping it persistent in the system registry.
To detect the campaign, Snort rules are used, which allow you to detect malicious files and their transmission through various protocols. These rules also help you track PowerShell actions and other signs that NetSupport RAT is present.
Continuous improvement of malware and attack tactics requires continuous vigilance and adaptation from cybersecurity specialists. It is important to remember that even legitimate tools can be used by hackers, so critical thinking and caution when interacting with any online resources are now becoming key skills for every user.
Source
