eSentire has reported a surge in incidents involving the NetSupport Remote Access Trojan (RAT), which grants attackers full control over infected hosts. The rise in attacks is attributed to the ClickFix Initial Access Vector, where victims are tricked into executing malicious PowerShell commands. Organizations are urged to reinforce security measures to counter this threat. Affected: NetSupport RAT, Cybersecurity, IT Operations
Keypoints :
- NetSupport RAT allows attackers full control over the victim’s computer, facilitating monitoring and data theft.
- Recent incidents have shown a rise in the use of ClickFix IAV to deliver NetSupport RAT.
- Organizations are recommended to improve security controls and user awareness regarding social engineering tactics.
- eSentire’s MDR for Network and Endpoint is capable of detecting NetSupport RAT activity.
- Threat hunts for IOCs are being actively performed across customer environments.
- Block lists are being updated with IP addresses linked to attacks.
- Organizations should limit user permissions and provide trusted sources for software downloads.
- Preventive measures include disabling certain executables via Group Policy Objects (GPO).
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Use of HTTPS for command-and-control communication.
- T1193 – Spear Phishing Link: Users are socially engineered to execute malicious PowerShell commands via phishing tactics.
- T1203 – Exploitation for Client Execution: User execution of malicious scripts is exploited throughClickFix.
- T1064 – Scripting: Utilization of PowerShell scripts to download and run the NetSupport RAT client.
Indicator of Compromise :
- [URL] hxxp://eveverify[.]com/captcha.html
- [Domain] eveverify[.]com
- [URL] hxxp://findkik[.]com/Ray-verify.html
- [Domain] findkik[.]com
- [URL] hxxps://92[.]255[.]85[.]135/fakeurl.htm
Full Story: https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution