Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

NetSupport RAT (Trojan) – Malware

February 10, 2025
Reading Time: 6 mins read
in Malware
NetSupport RAT (Trojan) – Malware

NetSupport RAT

Type of Malware

Trojan

Date of initial activity

2013

Motivation

Cyberwarfare
Espionage

Attack Vectors

Phishing
Software Vulnerabilities

Targeted Systems

Windows

Overview

NetSupport RAT (Remote Access Trojan) is a powerful and versatile malware that has been actively exploited by cybercriminals since its inception. Originally designed as a legitimate remote administration tool for IT support, NetSupport RAT has become a favored weapon for threat actors targeting organizations worldwide. Its ability to provide unauthorized access to infected systems, alongside its extensive array of malicious capabilities, makes it a significant threat to both individuals and enterprises alike. Despite its commercial origins, the tool’s malicious use cases have made it a prominent fixture in many cyberattack campaigns, especially those leveraging social engineering tactics such as phishing and drive-by downloads. The NetSupport RAT is typically delivered through malicious attachments, compromised websites, or fake software updates. Once installed, it allows attackers to remotely control infected systems, monitor user activity, steal sensitive data, and execute additional malicious payloads. Its modular design and stealthy nature enable it to evade detection by conventional security tools, which makes it a persistent and evolving threat. The malware is continuously updated by cybercriminals to bypass security measures, with obfuscation techniques and polymorphic components that complicate traditional detection methods. NetSupport RAT’s history is a testament to the growing use of commercially available remote access tools in cyberattacks. Initially used by legitimate IT professionals for managing remote systems, it was quickly co-opted by malicious actors seeking to exploit its functionality for unauthorized control. The rise of remote work in the 2020s has further fueled the malware’s popularity, as threat actors exploit the increasing reliance on remote access tools. As attacks involving NetSupport RAT continue to evolve, security professionals must remain vigilant, utilizing advanced detection strategies to identify and mitigate this highly adaptable and persistent threat.

Targets

Information

How they operate

Upon execution, NetSupport RAT begins its operation by exploiting a variety of techniques to ensure its persistence on the system. One common method is to modify system configurations, such as adding itself to the system’s registry or creating scheduled tasks that ensure it runs every time the system reboots or the user logs in. These modifications help the malware survive reboots and continue operating in the background without detection. In some instances, NetSupport RAT can even modify critical system processes, making it harder for security solutions to identify and remove it. The malware often runs in the background under a legitimate system process name, which further aids its evasion tactics. Once active, NetSupport RAT opens a remote connection to the attacker’s C2 server, establishing a command channel that can be used to send and receive instructions. The malware uses this channel to execute a variety of malicious commands, which include gathering system information, logging keystrokes, capturing screenshots, and even spying on the user through their webcam and microphone. NetSupport RAT can also download and execute additional malicious payloads, further compromising the target system. In addition, the malware allows attackers to browse files on the infected system, upload or download files, and even manipulate system settings, giving the attacker full control over the machine. NetSupport RAT is also known for its ability to evade detection. The malware employs multiple techniques to hide its presence on the compromised system, including obfuscating its code to avoid detection by antivirus software. It may also disable or bypass security measures, such as firewalls and antivirus programs, to avoid being blocked. To further protect itself, NetSupport RAT can disguise itself as a legitimate system file, often hiding under innocuous names or processes, making it harder for traditional detection methods to identify it. Additionally, the malware communicates with its C2 server through encrypted channels, which helps to avoid network-level detection by intrusion detection systems (IDS) and firewalls. In terms of lateral movement, NetSupport RAT is capable of spreading across networks by exploiting remote desktop services and other network protocols. The malware can scan the network for other vulnerable machines and deploy itself on them, allowing the attacker to broaden their control over the targeted network. This makes NetSupport RAT a valuable tool for cybercriminals aiming to launch large-scale attacks or expand the scope of their operations. Another crucial aspect of NetSupport RAT’s functionality is its ability to facilitate data exfiltration. Using the same C2 communication channel, the malware can collect sensitive data from the infected machine and send it back to the attacker. This data can include usernames, passwords, financial details, and other valuable information, which may then be used for further exploitation or sold on the dark web. The malware’s ability to operate covertly and exfiltrate data without detection makes it particularly dangerous for individuals and organizations alike. NetSupport RAT is a prime example of a Remote Access Trojan that operates on a technical level through multiple stages and methods to maintain persistence, evade detection, and perform a variety of malicious actions. From initial infection through phishing to its ability to manipulate system settings, execute commands, and exfiltrate data, the malware demonstrates the growing sophistication of modern cyberattacks. Its ability to adapt to different environments and stay hidden while granting attackers full access to a compromised system makes it a potent tool for cybercriminals, requiring vigilant cybersecurity defenses to detect and mitigate its impact.

MITRE Tactics and Techniques

Initial Access
Phishing (T1566): NetSupport RAT is often delivered via phishing emails that contain malicious attachments or links. The attacker may masquerade as a trusted entity to convince the victim to open the attachment or click the link, which then installs the RAT on the system. Drive-by Compromise (T1189): NetSupport RAT can also be delivered through compromised websites, where users unknowingly download the malware by visiting a malicious site.
Execution
User Execution (T1204): The malware may require user interaction to execute, such as opening an infected attachment or running a malicious script. Command and Scripting Interpreter (T1059): NetSupport RAT can execute commands remotely on the infected machine, typically through a command-line interface, allowing the attacker to gain control of the system.
Persistence
Boot or Logon Autostart Execution (T1547): To maintain persistence, NetSupport RAT may use autostart methods like adding registry keys or creating scheduled tasks that allow the malware to execute when the system boots or the user logs in. Create or Modify System Process (T1543): The malware can create or modify system processes to ensure it is always running in the background, even after system reboots.
Privilege Escalation
Exploitation for Privilege Escalation (T1068): NetSupport RAT can exploit system vulnerabilities to escalate privileges and gain higher-level access to the target system, allowing attackers to operate with greater control. Abuse Elevation Control Mechanism (T1548): The RAT can also manipulate system configurations, such as exploiting weak or misconfigured permissions to escalate privileges.
Defense Evasion
Obfuscated Files or Information (T1027): NetSupport RAT uses various obfuscation techniques to disguise its malicious code, making it more difficult for traditional antivirus solutions to detect. Disabling Security Tools (T1089): The RAT may attempt to disable security measures, such as antivirus software or firewalls, to evade detection and maintain control over the system.
Credential Access
Credential Dumping (T1003): NetSupport RAT may gather login credentials from the system, such as stored passwords, by exploiting the victim’s local environment or through the execution of system commands.
Discovery
System Information Discovery (T1082): Once installed, the malware collects information about the victim’s system, including hardware details, installed software, and user accounts, to help attackers understand the environment. Network Service Scanning (T1046): The malware may scan the network for additional systems or services that could be targeted or exploited in further stages of the attack.
Lateral Movement
Remote Services (T1021): NetSupport RAT can facilitate lateral movement within an infected network by exploiting remote desktop protocols or other remote services to spread to additional machines.
Exfiltration
Exfiltration Over Command and Control Channel (T1041): Data exfiltration is often conducted over the same command and control (C2) channels that the RAT uses to communicate with the attacker, allowing the attacker to steal sensitive data without detection.
Impact
Data Destruction (T1485): In some cases, NetSupport RAT can be used to destroy or encrypt data on the compromised machine, either as a secondary goal of the attack or as part of a broader campaign.  
Reference: 
  • Detecting evolving threats: NetSupport RAT campaign
Tags: MalwareNetSupportNetSupport RATRATRemote Access TrojanTrojansWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Fake Sora AI Lure Installs Infostealer

FIN6 Uses Fake Resumes To Hack Recruiters

Microsoft Fixes Exploited WebDAV Zero Day

Google Bug Exposed Any User’s Phone Number

Roundcube RCE Flaw Risks 84,000 Servers

New Skitnet Malware Arms Ransomware Gangs

Subscribe to our newsletter

    Latest Incidents

    BHA Hit By Ransomware But Races Continue

    Sompo Data Breach Puts 17.5M Records At Risk

    DDoS Disrupts Roularta Media In Belgium

    Texas DOT Breach Leaks 300K Crash Reports

    Illinois HFS Employee Phishing Leaks Data

    Cyberattack Disrupts UNFI Food Deliveries

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial