Distribution of NetSupport Malware Using Email – ASEC BLOG

NetSupport RAT is being used by various threat actors. These are distributed through spam emails and phishing pages disguised as documents such as Invoices, shipment documents, and PO (purchase orders). Distribution via phishing pages has been covered on this Blog in the past. [1]

AhnLab Security Emergency response Center(ASEC) discovered NetSupport RAT being distributed via a spear phishing email that has recently been in circulation. This post will cover the action flow from its distribution via phishing emails and its detection.

Figure 1 shows the body of the phishing email through which NetSupport RAT was distributed. A malicious javascript file is compressed and attached to the mail under the file name “scan16431643.zip”. The threat actor led the target to open this malicious file attachment by deceiving the users with a checklist item file regarding audits. The attached compressed file (scan16431643.zip) contains a malicious javascript with the file name “scan16431643.js” as shown in Figure 2.

Figure 1. Body of the phishing emails through which NetSupport RAT was distributed

Figure 2. Malicious javascript (scan16431643.js) inside the attached compressed file (scan16431643.zip)

Figure 3 shows a portion of the malicious javascript (scan16431643.js). Some strings are obfuscated. It connects to 3 normal websites to check the internet connection of the victim. When the connection fails, the malware is terminated.

Figure 3. Internet connection check feature of the malicious javascript (scan16431643.js)

When the internet connection attempt is successful, the malware connects to the C2 and downloads and executes an additional Powershell script as shown in Figure 4. This part also has the code obfuscated.

Figure 4. A feature in the malicious javascript (scan16431643.js) for downloading and executing a Powershell script from the C2

Figure 5 shows the diagram of the threat detection which occurred in an environment where this malware was executed. With the AMSI feature, even obfuscated javascript scripts can yield decrypted data such as Powershell commands and the C2 address to attempt connection to (“mjventas.com[/]reconts[.]php”) through strings collected through the AMSI buffer. AMSI(Anti-Malware Scan Interface) is a standard of multi-purpose interfaces which allows application programs and services to be integrated with antivirus products.

Figure 5. EDR detection diagram (identification of the script decrypted through AMSI)

Figure 6 shows the additional Powershell script downloaded from the C2. This script is executed without being copied to a local directory. This Powershell script downloads NetSupport RAT and saves it under the file name “client32.exe” in the TimeUTCSync_(Random Number) folder under the %Appdata% directory, and registers it to a registry key to ensure that it is automatically executed when the system is booted up.

Figure 6 Additional Powershell script downloaded from the C2.

The additionally downloaded Powershell script is not saved as a file in a local path, but as shown in Figure 7, can be identified in the EDR process execution history.

Figure 7. EDR process tree (identification of the Powershell script)

In this post, we covered the distribution method of NetSupport RAT being distributed via email using evidential data from EDR. The threat actor carefully disguises the distribution email as invoices, shipment documents, PO (purchase orders), and even uses a disguised audit checklist as shown in the body of the email. Thus it is difficult to distinguish email from normal emails by just examining the body of text, so users must always be cautious and check email attachments before opening them to see if there are file extensions that allow malware to be executed.

[IOC]

  • [Behavior Detection]
    Execution/EDR.Powershell.M11170
    Execution/MDP.Powershell.M10668
  • [File Detection]
    Trojan/JS.Agent.SC189783 (2023.06.15.02)
  • URL & C2
    hxxps[:]//mjventas[.]com[/]reconts[.]php (For downloading an additional Powershell script)
    hxxps[:]//qualityzer[.]com[/]index1[.]php (For downloading NetSupport RAT)

More details about AhnLab EDR which actively tracks threats and provides endpoint visibility through behavior-based detection and analysis can be found here on the AhnLab page.

Source: https://asec.ahnlab.com/en/55146/