Threat Research

An In-Depth Analysis of the NetSupport RAT Campaign through DNS Insights

CircleID

Short Summary:

The article discusses the NetSupport RAT, a remote access trojan used by advanced persistent threat (APT) groups. It highlights the challenges in detecting and removing such malware, along with an analysis of its indicators of compromise (IoCs) and associated artifacts identified by security researchers.

Key Points:

  • NetSupport RAT is a weaponized version of the legitimate NetSupport Manager tool.
  • It has been utilized in at least two significant campaigns since its emergence in 2023.
  • Security researchers identified nine initial IoCs, which were narrowed down to seven for further analysis.
  • The IoCs were registered across five different registrars, with GoDaddy.com LLC managing the majority.
  • The U.S. was the leading country for registrants, with additional domains registered in India and Vietnam.
  • Historical WHOIS records revealed additional email-connected domains and artifacts related to the IoCs.
  • The article emphasizes the importance of thorough investigations in threat detection and response.

MITRE ATT&CK TTPs – created by AI

  • Remote Access Tools (T1219)
    • Procedures:
      • NetSupport RAT utilized for remote access and control of compromised systems.
  • Domain Generation Algorithms (T1483)
    • Procedures:
      • Use of domain names as IoCs to evade detection.
  • Credential Dumping (T1003)
    • Procedures:
      • Potential use of email addresses from WHOIS records for further attacks.
Protect your privacy:  Get NordVPNDeal: 73% off 2-year plans + 3 extra months

Remote access trojans (RATs) can be considered the malware of choice by the world’s most notorious advanced persistent threat (APT) groups. And there’s a good reason for that. They are hard to detect, making them ideal for lateral movement, and also difficult to get rid of.

Talos recently published a detailed analysis of one such tool dubbed “NetSupport RAT.” This particular RAT is a weaponized version of NetSupport Manager, a legitimate remote device administration tool that has been commercially available since 1989. Its malicious counterpart, on the other hand, has been around since 2023. To date, NetSupport RAT has been used in at least two massive campaigns.

Since then, security researchers have been tracking the RAT’s development and latest activities. An in-depth analysis of the tool involved in the latest campaign identified nine domain names as indicators of compromise (IoCs).

The WhoisXML API research team expanded the list of IoCs to identify other potentially connected artifacts, namely:

  • 239 email-connected domains based on the current and historical WHOIS records
  • 1,010 registrant-connected domains
  • Three IP addresses, all of which turned out to be malicious
  • Two string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Closer Look at the NetSupport RAT IoCs

As is our usual first step, we sought to find more information about the IoCs security researchers have already identified, specifically nine domain names.

A bulk WHOIS lookup for the nine domain IoCs revealed that:

  • Only seven of them had current WHOIS record details, reducing the number of IoCs for further analysis from nine to seven.
  • The seven domain IoCs were distributed among five registrars led by GoDaddy.com LLC, which administered three. One domain IoC each was administered by BigRock Solutions Ltd.; GMO Internet, Inc.; Rebel Ltd.; and Register.com, Inc.
  • The seven domain IoCs were created between 2002 and 2024. They were evenly distributed (i.e., one IoC per year), which could be an effective evasion tactic in that security teams would find it hard to zoom in on specific time frames while threat hunting.
  • The U.S. was the top registrant country, accounting for four domain IoCs. One domain IoC each was registered in India and Vietnam. Finally, one domain IoC did not have a registrant country in its current WHOIS record.
  • Two domain IoCs had public registrant names.

NetSupport RAT DNS Deep Dive Findings

We began our hunt for connected artifacts by querying the seven domain IoCs on WHOIS History API. That led to the discovery of 12 email addresses in their historical WHOIS records after filtering out duplicates. Four were public email addresses.

Querying the four public email addresses on Reverse WHOIS API came next. The step revealed that only three of them appeared in the current WHOIS records of other domains. Specifically, we uncovered 17 email-connected domains after we filtered out duplicates and the IoCs.

To see if there were other email-connected domains, we queried the four public email addresses this time using Reverse WHOIS Search on the Domain Research Suite (DRS). That enabled us to find 222 domains whose historical WHOIS records contained the email addresses. Note that the number excluded duplicates, the IoCs, and the domains with the email addresses in their current WHOIS records.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

Source: Original Post

Tags: DISCOVERY, APT, LATERAL MOVEMENT, TOOL, full, TROJAN, EMAIL, HUNTING