Detecting evolving threats: NetSupport RAT campaign
Aug. 2, 2024, 8:32 a.m.
Tags
External References
Description
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfuscation methods and leveraging indicators of compromise, security researchers have developed effective detection mechanisms. The report delves into the various stages of the campaign, including the initial JavaScript stager, the PowerShell dropper, and the final NetSupport RAT payload delivery. It also provides insights into the detection methodologies employed by Cisco Talos, utilizing open-source tools like Snort for network-level detection and ClamAV for malware scanning.
Date
Published: Aug. 2, 2024, 8:25 a.m.
Created: Aug. 2, 2024, 8:25 a.m.
Modified: Aug. 2, 2024, 8:32 a.m.
Indicators
6f3681cd91f7a19c1cf2699e1f9f7b550dfe46841ab5171124e79979fae5424a
3b587d0c311e8ebc3bb104d564235c41ef8e64592c7419f17f48e0cee9ebc878
01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e
Attack Patterns
NetSupport RAT
T1003.001
T1218.005
T1564.003
T1059.005
T1547.001
T1059.007
T1562.001
T1140
T1027