Detecting evolving threats: NetSupport RAT campaign

Aug. 2, 2024, 8:32 a.m.

Description

This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfuscation methods and leveraging indicators of compromise, security researchers have developed effective detection mechanisms. The report delves into the various stages of the campaign, including the initial JavaScript stager, the PowerShell dropper, and the final NetSupport RAT payload delivery. It also provides insights into the detection methodologies employed by Cisco Talos, utilizing open-source tools like Snort for network-level detection and ClamAV for malware scanning.

Date

Published: Aug. 2, 2024, 8:25 a.m.

Created: Aug. 2, 2024, 8:25 a.m.

Modified: Aug. 2, 2024, 8:32 a.m.

Indicators

6f3681cd91f7a19c1cf2699e1f9f7b550dfe46841ab5171124e79979fae5424a

3b587d0c311e8ebc3bb104d564235c41ef8e64592c7419f17f48e0cee9ebc878

01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e

Attack Patterns

NetSupport RAT

T1003.001

T1218.005

T1564.003

T1059.005

T1547.001

T1059.007

T1562.001

T1140

T1027