The NetSupport Manager, a legitimate tool for remote device management, has been repurposed by threat actors as a Remote Access Trojan (RAT) to conduct various malicious activities. The software’s widespread functionality and accessibility make it a preferred choice among cybercriminals, who exploit it to gain unauthorized control over target devices. Cisco Talos has closely monitored recent campaigns involving NetSupport RAT, with attackers using intricate evasion tactics and continuous obfuscation updates to bypass traditional detection methods. By hiding payloads within JavaScript and PowerShell scripts, attackers have created a multi-stage infection process that leverages obfuscation and diverse delivery mechanisms, increasing the RAT’s resilience against detection.
The infection process typically begins when a user encounters malicious ads or compromised websites containing a JavaScript downloader, which initiates the first stage. This downloader executes an obfuscated PowerShell script that extracts the RAT payload and establishes persistence on the victim’s device. The payload, essentially a portable installation of NetSupport Manager, is embedded with additional scripts to enhance stealth and evade detection. Recent versions of this malware have incorporated randomized installation paths and more sophisticated obfuscation in the initial stager, making detection even more challenging.
Cisco Talos observed that the attackers continually refine these evasion methods, adjusting each version to counter evolving security measures. Cisco Talos has responded to these threats by developing advanced detection strategies. Using tools like Snort, they created fast-pattern-only rules and HTTP service inspections, which identify and block malicious activity before it reaches endpoints. These rules are designed to detect unique features in the RAT’s deployment, such as the registry entries used for persistence and the typical PowerShell flags that facilitate installation. By leveraging both static and behavioral detection techniques, Cisco Talos aims to create a comprehensive defense, capable of intercepting the RAT across a broad range of protocols and attack surfaces. Open-source tools like Snort and Sigma provide an additional advantage by enabling real-time tracking of malicious campaigns and allowing prompt response to newly identified indicators of compromise.
NetSupport RAT continues to be an active threat, with attackers exploiting its legitimate attributes to disguise malicious intent and reach a broader array of targets. Cisco Talos’ analysis highlights the growing trend of reusing commercial software in cybercrime, as these tools often evade initial scrutiny due to their legitimate origins. While threat actors persist in refining obfuscation tactics, Talos’ multi-faceted approach — from pattern-based detection to behavioral analysis — offers a robust solution to combat this persistent but not highly advanced threat. The findings underscore the importance of proactive detection and collaborative security efforts to keep pace with evolving threats like NetSupport RAT, ensuring that organizations can swiftly identify and mitigate malicious activity.
Reference: