NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems.
Unlike backdoors and RATs (Remote Access Trojans), which are mostly based on command lines, remote control tools (Remote Administration Tools) place emphasis on user-friendliness, so they offer remote desktops, also known as GUI environments. Even though they may not have been developed with malicious intent, if they are installed on infected systems, they can be used for malicious purposes by threat actors, such as for the installation of additional malware or information extortion.
As most remote control tools are used by countless users unlike other backdoors, it is easy for them to be recognized as normal programs. Thus, they have the advantage of allowing attackers to use remote control tools, which are normal programs, to bypass the detection of security software, while simultaneously enabling domination over the infected system in a GUI environment.
The following ASEC blog post covers cases where various remote control tools such as AnyDesk, TeamViewer, Ammyy Admin, and Tmate were used in attacks.
The downloaded file has both a disguised icon and version information, so users are prone to mistaking this for a game program and running it.
While it could be said that the installed NetSupport-related programs themselves are normal programs, we can see that the threat actor’s C&C server address is included in the “client32.ini” configuration file, as shown below. When NetSupport is executed, it reads this configuration file, access and establishes a connection to the threat actor’s NetSupport server, and then allows the operator to control the infected system.
There was also a type that creates the file “csvs.exe” disguised as a normal Windows program, svchost.exe, instead of installing the NetSupport client, “client32.exe” in the installation directory. While the icon and file size are different, the internal routine or PDB information shows that this is a “client32.exe” file modified by the threat actor to bypass detection.
NetSupport RAT is being used by various threat actors. Major cases show that they are recently being distributed through spam emails disguised as those for invoices, shipment documents, and purchase orders. Additionally, in the second half of the year, there was a case where users were led to install the malware themselves from a phishing page disguised as an update page for a software called SocGholish.
When NetSupport RAT is installed, the threat actor can gain control over the infected system. Features supported by NetSupport by default include not only remote screen control but also system control features such as screen capture, clipboard sharing, collecting web history information, file management, and command execution. This means that the threat actor can perform various malicious behaviors such as extorting user credentials and installing additional malware.
Recently, threat actors have been abusing remote control tools used by various users such as NetSupport in their attacks. When infected with such remote control malware, the system is overtaken by the threat actor and becomes subject to damages such as information extortion and additional malware installation.
When installing externally sourced software, users are advised to purchase or download them from their official websites and refrain from opening attachments in suspicious emails. Users should also apply the latest patch to programs such as their OS and internet browsers and update V3 to the latest version to prevent malware infection in advance.
– Dropper/Win.NetSupport.C5345365 (2022.12.30.01)
– Malware/Win.Generic.C5339867 (2022.12.23.03)
– Malware/Win.Generic.C5335414 (2022.12.17.01)
– Malware/Win.Generic.C5333592 (2022.12.15.01)
– Malware/Win.Malware-gen.C5331507 (2022.12.13.02)
– Trojan/Win.NetSupport.C5345361 (2022.12.30.01)
– Backdoor/Text.NetSupport (2022.12.30.02)
– 097051905db43d636c3f71f3b2037e02 : NetSupport RAT dropper (PokemonBetaGame.exe)
– 1dc87bfb3613d605c9914d11a67e2c94 : NetSupport RAT dropper disguised as a Pokemon card game
– 5e6b966167c7fd13433929e774f038ee : NetSupport RAT dropper disguised as a Pokemon card game
– a9dba73b0cf1c26008fc9203684c6c22 : NetSupport RAT dropper disguised as a Pokemon card game
– adbe1069f82a076c48f79386812c1409 : NetSupport RAT dropper disguised as a Pokemon card game
– fcdc884dd581701367b284ad302efe4d : NetSupport RAT dropper disguised as a Pokemon card game
– ed68e69534ebdf6c8aa1398da032c147 : NetSupport RAT dropper disguised as Visual Studio (source.sdf)
– e7792e09b0283b87b9de37b3420f69d5 : NetSupport RAT dropper disguised as a Pokemon card game (creates csvs.exe)
– 7ca97fe166c4d8a23d7d9505d9fcc1c0 : Patched client32.exe (csvs.exe)
– 59048c3248025a7d4c7c643d9cf317a5 : NetSupport configuration file (client32.ini)
– f26b26f6d29a4e584bd85f216b8254b9 : NetSupport configuration file (client32.ini)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.