FireEye security experts have found that hackers are leveraging compromised websites to distribute fake updates for popular software used to deliver NetSupport Manager RAT.
NetSupport is an off-the-shelf RAT which system admins could use for remote administration of computers. Cyber criminals used to abuse this legitimate application to deploy malware on users’ PCs.
Recently, the security experts at FireEye have registered a hacking campaign which has been active for the past few months and has been leveraging compromised websites to spread fake updates for popular software (i.e. Adobe Flash, Chrome, and FireFox) that were also used to deliver the NetSupport Manager remote access tool (RAT).
“Over the last few months, FireEye has tracked an in-the-wild campaign that leverages compromised sites to spread fake updates. In some cases, the payload was the NetSupport Manager remote access tool (RAT).” the FireEye analysis states.
“The operator behind these campaigns uses compromised sites to spread fake updates masquerading as Adobe Flash, Chrome, and FireFox updates.”
“Since the malware uses the caller and callee function code to derive the key, if the analyst adds or removes anything from the first or second layer script, the script will not be able to retrieve the key and will terminate with an exception.” the analysis reads.
The step2 function gathers and encodes various system information and sends it to the server after that: computer name, user name, architecture, processors, OS, domain, BIOS version, manufacturer, model, anti-spyware product, anti-virus product, MAC address, keyboard, pointing device, display controller configuration, and process list.
Then, the server responds with a function called step3 and Update.js, which is the script to downloads and executes the final payload.
- 7za.exe: 7zip standalone executable
- LogList.rtf: Password-protected archive file
- Upd.cmd: Batch script to install the NetSupport Client
- Downloads.txt: List of IPs (possibly the infected systems)
- Get.php: Downloads LogList.rtf
The tasks performed by the script are:
1. Extract the archive using the 7zip executable with the password mentioned in the script.
2. After extraction, delete the downloaded archive file (loglist.rtf).
3. Disable Windows Error Reporting and App Compatibility.
4. Add the remote control client executable to the firewall’s allowed program list.
5. Run remote control tool (client32.exe).
6. Add Run registry entry with the name “ManifestStore” or downloads shortcut file to Startup folder.
7. Hide the files using attributes.
8. Delete all the artifacts (7zip executable, script, archive file).
Hackers use the NetSupport Manager to gain remote access to the compromised systems and control it.