Weaponization of Net Support RAT: Tactics, Techniques, and Procedures

NetSupport RAT, derived from the legitimate remote access tool NetSupport Manager, has become a prominent Remote Access Trojan (RAT) exploited by cybercriminals. This malware enables attackers to gain unauthorized control over infected systems, often using social engineering tactics to lure victims into downloading the malicious software.

NetSupport Manager began as genuine software 30 years ago for remote technical support use. The tool allowed file transfers, support chat, inventory management, and remote access. While it is legitimate software, threat actors have been using it in recent years as a Remote Access Trojan (RAT) – most notably spread in 2020 via a massive Covid-19 phishing campaign. The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GhostPulse), and various forms of phishing campaigns.

Overview of NetSupport RAT

Legitimate Origins: NetSupport Manager was developed for remote technical support, allowing IT professionals to manage systems remotely. However, its capabilities have been repurposed by threat actors for malicious activities since at least 2016. The software provides extensive control over target devices, including real-time screen monitoring, data exfiltration, and the ability to execute additional payloads.

Recent Campaigns: Recent reports indicate a surge in NetSupport RAT infections, particularly targeting sectors like education, government, and business services. Attackers have employed various methods to distribute the RAT, including fake browser updates and phishing campaigns. For instance, a recent campaign used a Pokémon-themed lure to entice users into downloading the trojanized client.

Infection Mechanisms

NetSupport RAT is typically delivered through:

1. Fake Software Updates: Victims are tricked into downloading the RAT via deceptive browser update prompts on compromised websites.

2. Phishing Emails: Attackers have utilized phishing emails disguised as legitimate communications (e.g., package shipment notifications) to deliver the malware.

3. Malicious Websites: Some campaigns host fake games or services that require users to download the RAT under the guise of legitimate software.

Once installed, the RAT can establish persistence on the infected system by modifying registry entries and creating start-up shortcuts, ensuring it runs automatically upon system boot.

Detection and Defense

Security measures against NetSupport RAT include:

1. Behavioral Analysis: Tools like Carbon Black utilize behavioral detection techniques to identify suspicious activities associated with the RAT.

2. Threat Intelligence Integration: Security solutions incorporate threat intelligence feeds to recognize known indicators of compromise (IOCs) related to NetSupport RAT.

3. Real-time Monitoring: Continuous monitoring allows for immediate response to detected threats, minimizing potential damage from infections.

   
   

Conclusion

The misuse of NetSupport Manager as a Remote Access Trojan highlights the ongoing challenge of securing legitimate software against exploitation by malicious actors. Organizations must remain vigilant through robust security practices and user education to mitigate the risks associated with such threats. The persistence of NetSupport RAT in cybercriminal campaigns underscores the need for continuous adaptation in cybersecurity strategies.