NetSupport RAT is being used by various threat actors. These are distributed through spam emails and phishing pages disguised as documents such as Invoices, shipment documents, and PO (purchase orders). Distribution via phishing pages has been covered on this Blog in the past. 
AhnLab Security Emergency response Center(ASEC) discovered NetSupport RAT being distributed via a spear phishing email that has recently been in circulation. This post will cover the action flow from its distribution via phishing emails and its detection.
When the internet connection attempt is successful, the malware connects to the C2 and downloads and executes an additional Powershell script as shown in Figure 4. This part also has the code obfuscated.
Figure 6 shows the additional Powershell script downloaded from the C2. This script is executed without being copied to a local directory. This Powershell script downloads NetSupport RAT and saves it under the file name “client32.exe” in the TimeUTCSync_(Random Number) folder under the %Appdata% directory, and registers it to a registry key to ensure that it is automatically executed when the system is booted up.
The additionally downloaded Powershell script is not saved as a file in a local path, but as shown in Figure 7, can be identified in the EDR process execution history.
In this post, we covered the distribution method of NetSupport RAT being distributed via email using evidential data from EDR. The threat actor carefully disguises the distribution email as invoices, shipment documents, PO (purchase orders), and even uses a disguised audit checklist as shown in the body of the email. Thus it is difficult to distinguish email from normal emails by just examining the body of text, so users must always be cautious and check email attachments before opening them to see if there are file extensions that allow malware to be executed.
- [Behavior Detection]
- [File Detection]
- URL & C2
hxxps[:]//mjventas[.]com[/]reconts[.]php (For downloading an additional Powershell script)
hxxps[:]//qualityzer[.]com[/]index1[.]php (For downloading NetSupport RAT)
More details about AhnLab EDR which actively tracks threats and provides endpoint visibility through behavior-based detection and analysis can be found here on the AhnLab page.