Netsupport

Malware Profile Updated a month ago
Download STIX
Preview STIX
NetSupport is a malicious software (malware) that has been used in various cyberattacks, including the Royal Ransomware attack and assaults by former ITG23 members. It can infiltrate systems through suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data hostage for ransom. The malware has been observed in tools such as CobaltStrike and Ligolo-NG, and it was utilized in a fall attack involving CryptOne. Furthermore, a Vidar infostealer from March 2023 also employed NetSupport. The PhantomBlu campaign represents a novel delivery method for NetSupport RAT (Remote Access Trojan). This campaign uses encrypted .doc files to deliver the NetSupport RAT via Object Linking and Embedding (OLE) templates, a departure from conventional tactics typically associated with NetSupport RAT deployments. Once installed on a victim's device, NetSupport can monitor behavior, capture keystrokes, transfer files, take control of system resources, and spread to other devices within the network. In one instance, attackers impersonated an accounting service in emails inviting people to download a Microsoft Office Word file, which ultimately delivered the notorious NetSupport RAT. NetSupport RAT operates by connecting to a command and control (C2) server, notifying threat actors that the infected PC is ready for unauthorized access. This access can either be used directly by the threat actors or sold on the dark web. The IP address of the NetSupport Manager (the C2) can be found in the client32.ini file. This file, along with others like client1.7z and client2.7z, contains keys and values that initialize the NetSupport RAT connection to its C2. Additionally, the Wireshark output shows "/fakeurl.htm" appended to the IP address, further confirming this IP address as the C2 for the NetSupport RAT sample.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Netsupport Rat
5
NetSupport RAT is a type of malware that can significantly compromise an organization's digital security. Originally derived from the legitimate NetSupport Manager, a remote technical support tool, this malware infects systems through suspicious downloads, emails, or websites, often unbeknownst to t
Netsupport Manager
4
NetSupport Manager is a malicious software (malware) that poses significant threats to computer systems and networks. It is often disguised as legitimate software or tools, such as the 7-zip compression utility or a fake Chrome browser update, to trick users into downloading and installing it. Once
Blackbasta
1
BlackBasta is a highly malicious software, or malware, known for its damaging effects on computer systems and devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once it has gained access, BlackBasta can steal personal information, disrup
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Rat
Malware
Phishing
Exploit
Ransomware
Wordpress
Payload
Windows
Vulnerability
Scam
Loader
Evasive
Infiltration
Botnet
Beacon
T1221
Chrome
Outlook
Downloader
Malware Loader
Ddos
Trojan
Denial of Se...
Implant
Infostealer
Malware Payl...
Proofpoint
Lateral_move...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
QakBotUnspecified
3
Qakbot, also known as QBot, is a versatile piece of malware capable of executing several malicious activities such as brute-forcing, web injects, and loading other types of malware. It's often used to steal credentials and gather information, with the cybercriminal group Black Basta being one notabl
DarkgateUnspecified
3
DarkGate is a malicious software (malware) known for its harmful impact on computer systems and devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data host
VidarUnspecified
2
Vidar is a Windows-based malware written in C++, known as an infostealer due to its ability to steal personal information from infected systems. It has been leveraged by cybercriminals alongside other malicious software like Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoade
SocgholishUnspecified
2
SocGholish is a harmful malware known for its deceptive methods of infection, often impersonating legitimate browser updates to distribute Remote Access Trojans. This malicious software infiltrates systems through suspicious downloads, emails, or websites, typically without the user's knowledge. Onc
IcedIDUnspecified
2
IcedID is a type of malware, or malicious software, designed to exploit and harm computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, IcedID can steal personal information, disrupt operations, or even hold dat
CarbanakUnspecified
1
Carbanak is a notorious malware, short for malicious software, known for its destructive capabilities. This harmful program infiltrates systems via suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or even hold data hostage for ransom. The initial payl
GracewireUnspecified
1
Gracewire is a potent malware that has been deployed by threat actors to exploit and damage computer systems. It is typically delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations,
Lumma StealerUnspecified
1
Lumma Stealer is a malicious software, or malware, that targets cryptocurrency wallets and browser user data. It has been particularly prevalent in the gaming community, with cracked video games and cheating tools often found to contain infostealer malware such as Lumma Stealer and RedLine Stealer.
GoziUnspecified
1
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
Redline StealerUnspecified
1
RedLine Stealer is a malicious software that was used to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. In July 2023, Unit 42 conducted an analysis of a RedLine Stealer infection using Wireshark, a network protocol analyzer. The analysis in
Smoke LoaderUnspecified
1
Smoke Loader is a prominent type of malware identified by the SCPC SSSCIP, used in recent attacks primarily targeting Ukrainian organizations. This malicious software is often delivered via IPFS links by malware families such as Smoke Loader, XLoader, XMRig, and OriginLogger, disrupting operations a
FatalratUnspecified
1
FatalRAT, also known as Sainbox, is a variant of the Gh0st RAT malware that targets Windows platforms. Initially identified by Proofpoint in 2020, it has become popular with the PurpleFox threat actor group. Once infiltrated into a system, FatalRAT can log keystrokes and download and install additio
SolarmarkerUnspecified
1
SolarMarker, also known as Yellow Cockatoo, Polazert, and Jupyter Infostealer, is a sophisticated malware designed to steal information. It has been evolving since 2020 and has been active in various campaigns since 2021. The malware relies heavily on web delivery, using search engine optimization (
CryptoneUnspecified
1
CryptOne is a Delphi-based crypter malware, dating back to 2015, that has been frequently used by various malicious software families such as Gozi, Dridex, NetWalker, and WastedLocker. This crypter is reportedly offered as a Crypter-As-A-Service and it's capable of detecting and disabling a list of
client32.exeUnspecified
1
None
Sectop RatUnspecified
1
None
MatanbuchusUnspecified
1
Matanbuchus is a malicious software (malware) that has been actively used in various cyberattacks since July 16, 2022. Initially identified as part of a malspam campaign by Unit 42 in February 2023, it was believed to be a possible drop from the PikaBot malware. However, subsequent analysis revealed
LummaUnspecified
1
Lumma is a malicious software (malware) that has been identified as an information stealer, and it has been observed in various cybercrime activities. It infects systems through suspicious downloads, emails, or websites, often without the victim's knowledge. Once inside, Lumma can steal personal inf
FakeupdatesUnspecified
1
FakeUpdates, also known as SocGholish, is a JavaScript-based malware that targets Microsoft Windows environments and primarily infects systems through deceptive means such as fake browser updates. The malicious software was first identified over five years ago in a campaign that exploited compromise
Royal RansomwareUnspecified
1
Royal Ransomware is a type of malware that has been causing significant disruptions in various sectors, particularly in the United States. Originating from the now-defunct Conti ransomware operation, Royal Ransomware was notorious for its multi-threaded encryption and ability to kill processes withi
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BattleroyalUnspecified
3
BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen
Carbon SpiderUnspecified
1
CARBON SPIDER, also known as FIN7 and Sangria Tempest, is a threat actor that has been active in the eCrime space since approximately 2013. This criminally motivated group primarily targets the hospitality and retail sectors with the aim of obtaining payment card data. The group has been linked to s
Sangria TempestUnspecified
1
Sangria Tempest, also known as FIN7, Carbon Spider, and ELBRUS, is a threat actor that has been active since 2014. This Russian advanced persistent threat (APT) group is known for its malicious activities, including spear-phishing campaigns, malware distribution, and theft of payment card data. In m
FIN7Unspecified
1
FIN7, a known threat actor in the cybersecurity world, has been recognized for its malicious activities against various entities. This group, which could be an individual, a private company, or part of a government body, is notorious for executing actions with harmful intent. One notable instance of
Lace TempestUnspecified
1
Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi
ITG23Unspecified
1
ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Netsupport Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
a month ago
Cut & Paste Tactics Import Malware to Unwitting Victims
SANS ISC
a month ago
New NetSupport Campaign Delivered Through MSIX Packages - SANS Internet Storm Center
DARKReading
4 months ago
'PhantomBlu' Cyberattackers Backdoor Microsoft Office Users via OLE
CERT-EU
4 months ago
Car Insurance Emails Drives for NetSupport RAT Infection – Global Security Mag Online
CERT-EU
7 months ago
BattleRoyal Cybercrime Group Spreads DarkGate Malware | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
5 months ago
Advanced CyberChef Techniques for Configuration Extraction - Detailed Walkthrough and Examples
CERT-EU
6 months ago
Windows SmartScreen bug exploited to deliver powerful info-stealer (CVE-2023-36025) - Help Net Security
Trend Micro
a year ago
New OpcJacker Malware Distributed via Fake VPN Malvertising
SecurityIntelligence.com
a year ago
The Trickbot/Conti Crypters: Where Are They Now?
CERT-EU
a year ago
Fake Chrome Browser Update Installs NetSupport Manager RAT
CERT-EU
8 months ago
Security Brief: TA571 Delivers IcedID Forked Loader | Proofpoint US
CERT-EU
a year ago
Ransomware Surges in Nuspire’s Q2 2023 Threat Report
InfoSecurity-magazine
a year ago
Four in Five Cyber-Attacks Powered by Just Three Malware Loaders
CERT-EU
a year ago
The 3 Malware Loaders Behind 80% of Incidents - ReliaQuest
CERT-EU
a year ago
Nuspire’s Q1 2023 Cyber Threat Report Shows Spike in Exploits, Botnets and Malware
CERT-EU
6 months ago
Microsoft disables online Windows App Installer after attackers abuse it | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
6 months ago
Microsoft Disables App Installer After Feature is Abused for Malware
Securityaffairs
6 months ago
Security Affairs newsletter Round 452 by Pierluigi Paganini
CERT-EU
6 months ago
Security Affairs newsletter Round 452 by Pierluigi Paganini | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
6 months ago
Financially motivated threat actors misusing App Installer | Microsoft Security Blog