Detecting evolving threats: NetSupport RAT campaign

Aug. 2, 2024, 8:32 a.m.

Description

This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfuscation methods and leveraging indicators of compromise, security researchers have developed effective detection mechanisms. The report delves into the various stages of the campaign, including the initial JavaScript stager, the PowerShell dropper, and the final NetSupport RAT payload delivery. It also provides insights into the detection methodologies employed by Cisco Talos, utilizing open-source tools like Snort for network-level detection and ClamAV for malware scanning.

External References

https://blog.talosintelligence.com/detecting-evolving-threats-netsupport-rat/
https://otx.alienvault.com/pulse/66ac980fb872b2c76b1d72c0
Tags
obfuscation
rat
malvertising
powershell
persistence
netsupport rat
2024-08-02

Date

  • Created: Aug. 2, 2024, 8:25 a.m.
  • Published: Aug. 2, 2024, 8:25 a.m.
  • Modified: Aug. 2, 2024, 8:32 a.m.

Indicators

  • 6f3681cd91f7a19c1cf2699e1f9f7b550dfe46841ab5171124e79979fae5424a
  • 3b587d0c311e8ebc3bb104d564235c41ef8e64592c7419f17f48e0cee9ebc878
  • 01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e

Attack Patterns

  • NetSupport RAT
  • T1003.001
  • T1218.005
  • T1564.003
  • T1059.005
  • T1547.001
  • T1059.007
  • T1562.001
  • T1140
  • T1027