Netsupport

Malware updated a day ago (2024-11-20T18:06:46.783Z)
Download STIX
Preview STIX
NetSupport is a legitimate remote access software that has been repurposed as malware by various cybercriminal groups. It has been observed in several high-profile cyber-attacks, including the Royal ransomware attack and operations conducted by former ITG23 members. The malware can infiltrate systems through deceptive downloads, emails, or websites, often unbeknownst to the user. Once installed, it can steal personal data, disrupt system operations, or even hold data for ransom. Other notable malware such as BlackBasta Ransomware, IcedID, CobaltStrike, Ligolo-NG, and CryptOne have also been used alongside NetSupport. The NetSupport Remote Access Trojan (RAT) functions by connecting to a Command and Control (C2) server, notifying threat actors that the infected PC is ready for unauthorized access. This access could be utilized directly by the attackers or sold on the dark web. A typical NetSupport RAT C2 connection is initialized using multiple keys and values contained in a "Client.ini" configuration file. Additionally, the malware employs techniques like appending "/fakeurl.htm" to the IP address to solidify its C2 connection. In recent attacks, the final payload delivered to victims was a ZIP archive containing all necessary files to run NetSupport RAT. This was achieved through a series of JavaScript files that ultimately download, extract, and execute the RAT. Despite their simplicity, these malicious emails carrying NetSupport RAT have managed to bypass email security measures. Notably, the malware has been deployed alongside Lumma Stealer, the world's most common infostealer, and Redline, a credential-stealing malware, by the cybercriminal group Fin7.
Description last updated: 2024-11-15T16:09:21.883Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Netsupport Manager is a possible alias for Netsupport. NetSupport Manager is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. The malware has been detected by InsightIDR Attacker Behavio
5
Netsupport Rat is a possible alias for Netsupport. NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operations
5
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rat
Tool
Payload
Ransomware
Windows
Vulnerability
Chrome
Wordpress
Infostealer
Exploit
Trojan
Phishing
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Darkgate Malware is associated with Netsupport. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicioUnspecified
3
The QakBot Malware is associated with Netsupport. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by dUnspecified
3
The Vidar Malware is associated with Netsupport. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malwUnspecified
2
The Socgholish Malware is associated with Netsupport. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, MicrosofUnspecified
2
The Lumma Stealer Malware is associated with Netsupport. Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was diUnspecified
2
The IcedID Malware is associated with Netsupport. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Battleroyal Threat Actor is associated with Netsupport. BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen Unspecified
3
The FIN7 Threat Actor is associated with Netsupport. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
2
Source Document References
Information about the Netsupport Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
6 days ago
BankInfoSecurity
2 months ago
DARKReading
2 months ago
CERT-EU
9 months ago
DARKReading
5 months ago
SANS ISC
5 months ago
DARKReading
8 months ago
CERT-EU
9 months ago
CERT-EU
a year ago
CERT-EU
9 months ago
CERT-EU
10 months ago
Trend Micro
2 years ago
SecurityIntelligence.com
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago