NetSupport RAT (Trojan) – Malware

Overview

NetSupport RAT (Remote Access Trojan) is a powerful and versatile malware that has been actively exploited by cybercriminals since its inception. Originally designed as a legitimate remote administration tool for IT support, NetSupport RAT has become a favored weapon for threat actors targeting organizations worldwide. Its ability to provide unauthorized access to infected systems, alongside its extensive array of malicious capabilities, makes it a significant threat to both individuals and enterprises alike. Despite its commercial origins, the tool’s malicious use cases have made it a prominent fixture in many cyberattack campaigns, especially those leveraging social engineering tactics such as phishing and drive-by downloads.

The NetSupport RAT is typically delivered through malicious attachments, compromised websites, or fake software updates. Once installed, it allows attackers to remotely control infected systems, monitor user activity, steal sensitive data, and execute additional malicious payloads. Its modular design and stealthy nature enable it to evade detection by conventional security tools, which makes it a persistent and evolving threat. The malware is continuously updated by cybercriminals to bypass security measures, with obfuscation techniques and polymorphic components that complicate traditional detection methods.

NetSupport RAT’s history is a testament to the growing use of commercially available remote access tools in cyberattacks. Initially used by legitimate IT professionals for managing remote systems, it was quickly co-opted by malicious actors seeking to exploit its functionality for unauthorized control. The rise of remote work in the 2020s has further fueled the malware’s popularity, as threat actors exploit the increasing reliance on remote access tools. As attacks involving NetSupport RAT continue to evolve, security professionals must remain vigilant, utilizing advanced detection strategies to identify and mitigate this highly adaptable and persistent threat.

Targets

Information

How they operate

Upon execution, NetSupport RAT begins its operation by exploiting a variety of techniques to ensure its persistence on the system. One common method is to modify system configurations, such as adding itself to the system’s registry or creating scheduled tasks that ensure it runs every time the system reboots or the user logs in. These modifications help the malware survive reboots and continue operating in the background without detection. In some instances, NetSupport RAT can even modify critical system processes, making it harder for security solutions to identify and remove it. The malware often runs in the background under a legitimate system process name, which further aids its evasion tactics.

Once active, NetSupport RAT opens a remote connection to the attacker’s C2 server, establishing a command channel that can be used to send and receive instructions. The malware uses this channel to execute a variety of malicious commands, which include gathering system information, logging keystrokes, capturing screenshots, and even spying on the user through their webcam and microphone. NetSupport RAT can also download and execute additional malicious payloads, further compromising the target system. In addition, the malware allows attackers to browse files on the infected system, upload or download files, and even manipulate system settings, giving the attacker full control over the machine.

NetSupport RAT is also known for its ability to evade detection. The malware employs multiple techniques to hide its presence on the compromised system, including obfuscating its code to avoid detection by antivirus software. It may also disable or bypass security measures, such as firewalls and antivirus programs, to avoid being blocked. To further protect itself, NetSupport RAT can disguise itself as a legitimate system file, often hiding under innocuous names or processes, making it harder for traditional detection methods to identify it. Additionally, the malware communicates with its C2 server through encrypted channels, which helps to avoid network-level detection by intrusion detection systems (IDS) and firewalls.

In terms of lateral movement, NetSupport RAT is capable of spreading across networks by exploiting remote desktop services and other network protocols. The malware can scan the network for other vulnerable machines and deploy itself on them, allowing the attacker to broaden their control over the targeted network. This makes NetSupport RAT a valuable tool for cybercriminals aiming to launch large-scale attacks or expand the scope of their operations.

Another crucial aspect of NetSupport RAT’s functionality is its ability to facilitate data exfiltration. Using the same C2 communication channel, the malware can collect sensitive data from the infected machine and send it back to the attacker. This data can include usernames, passwords, financial details, and other valuable information, which may then be used for further exploitation or sold on the dark web. The malware’s ability to operate covertly and exfiltrate data without detection makes it particularly dangerous for individuals and organizations alike.

NetSupport RAT is a prime example of a Remote Access Trojan that operates on a technical level through multiple stages and methods to maintain persistence, evade detection, and perform a variety of malicious actions. From initial infection through phishing to its ability to manipulate system settings, execute commands, and exfiltrate data, the malware demonstrates the growing sophistication of modern cyberattacks. Its ability to adapt to different environments and stay hidden while granting attackers full access to a compromised system makes it a potent tool for cybercriminals, requiring vigilant cybersecurity defenses to detect and mitigate its impact.

MITRE Tactics and Techniques

Initial Access

Phishing (T1566): NetSupport RAT is often delivered via phishing emails that contain malicious attachments or links. The attacker may masquerade as a trusted entity to convince the victim to open the attachment or click the link, which then installs the RAT on the system.

Drive-by Compromise (T1189): NetSupport RAT can also be delivered through compromised websites, where users unknowingly download the malware by visiting a malicious site.

Execution

User Execution (T1204): The malware may require user interaction to execute, such as opening an infected attachment or running a malicious script.

Command and Scripting Interpreter (T1059): NetSupport RAT can execute commands remotely on the infected machine, typically through a command-line interface, allowing the attacker to gain control of the system.

Persistence

Boot or Logon Autostart Execution (T1547): To maintain persistence, NetSupport RAT may use autostart methods like adding registry keys or creating scheduled tasks that allow the malware to execute when the system boots or the user logs in.

Create or Modify System Process (T1543): The malware can create or modify system processes to ensure it is always running in the background, even after system reboots.

Privilege Escalation

Exploitation for Privilege Escalation (T1068): NetSupport RAT can exploit system vulnerabilities to escalate privileges and gain higher-level access to the target system, allowing attackers to operate with greater control.

Abuse Elevation Control Mechanism (T1548): The RAT can also manipulate system configurations, such as exploiting weak or misconfigured permissions to escalate privileges.

Defense Evasion

Obfuscated Files or Information (T1027): NetSupport RAT uses various obfuscation techniques to disguise its malicious code, making it more difficult for traditional antivirus solutions to detect.

Disabling Security Tools (T1089): The RAT may attempt to disable security measures, such as antivirus software or firewalls, to evade detection and maintain control over the system.

Credential Access

Credential Dumping (T1003): NetSupport RAT may gather login credentials from the system, such as stored passwords, by exploiting the victim’s local environment or through the execution of system commands.

Discovery

System Information Discovery (T1082): Once installed, the malware collects information about the victim’s system, including hardware details, installed software, and user accounts, to help attackers understand the environment.

Network Service Scanning (T1046): The malware may scan the network for additional systems or services that could be targeted or exploited in further stages of the attack.

Lateral Movement

Remote Services (T1021): NetSupport RAT can facilitate lateral movement within an infected network by exploiting remote desktop protocols or other remote services to spread to additional machines.

Exfiltration

Exfiltration Over Command and Control Channel (T1041): Data exfiltration is often conducted over the same command and control (C2) channels that the RAT uses to communicate with the attacker, allowing the attacker to steal sensitive data without detection.

Impact

Data Destruction (T1485): In some cases, NetSupport RAT can be used to destroy or encrypt data on the compromised machine, either as a secondary goal of the attack or as part of a broader campaign.

Reference: 

• Detecting evolving threats: NetSupport RAT campaign