Netsupport

Malware updated 24 days ago (2024-10-03T23:01:53.830Z)
Download STIX
Preview STIX
NetSupport is a legitimate remote access software that has been exploited as a malware tool by various threat actors. It's often used in combination with other malicious software like BlackBasta Ransomware, IcedID, and occasionally Lumma Stealer, the most common infostealer in the world today. The malware can infect systems through suspicious downloads, emails, or websites, often without user awareness. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Notably, NetSupport was used during a Royal ransomware attack and has been employed by former ITG23 members and affiliates in their cyberattacks. The infection process of NetSupport RAT (Remote Access Trojan) is multi-staged and begins with the downloading of a JavaScript file from a malicious website. This initial file retrieves, downloads, and runs NetSupport RAT through several stages of other JavaScript payloads. Ultimately, a ZIP archive containing all necessary files to run NetSupport RAT is downloaded, extracted, and run on the victim's computer. Once operational, NetSupport RAT beacons out to a command and control (C2) server, notifying threat actors that the PC is ready for unauthorized access. Detection and monitoring of such attacks are possible through tools like InsightIDR Attacker Behavior Analytics. These tools can identify suspicious processes and modifications of files, indicative of an attacker's activity. For instance, in one observed case, the attacker used the 7zip compression utility and the NetSupport Manager remote access tool. It's crucial to remember that while NetSupport RAT is used for malicious purposes in these instances, NetSupport itself is a legitimate remote software company. The malware emails analyzed in these scenarios are often basic yet manage to bypass email security systems.
Description last updated: 2024-10-03T22:15:34.838Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Netsupport Rat is a possible alias for Netsupport. NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operations
5
Netsupport Manager is a possible alias for Netsupport. NetSupport Manager is a malicious software (malware) that poses significant threats to computer systems and networks. It is often disguised as legitimate software or tools, such as the 7-zip compression utility or a fake Chrome browser update, to trick users into downloading and installing it. Once
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rat
Ransomware
Windows
Vulnerability
Exploit
Infostealer
Wordpress
Tool
Trojan
Phishing
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The QakBot Malware is associated with Netsupport. Qakbot is a potent piece of malware, or malicious software, that infiltrates computer systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware, built by various groups includinUnspecified
3
The Darkgate Malware is associated with Netsupport. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicioUnspecified
3
The Lumma Stealer Malware is associated with Netsupport. Lumma Stealer is a highly sophisticated malware variant known for its extensive data-harvesting capabilities. It is designed to steal sensitive information such as passwords, card details, cryptocurrency wallets, and browser session cookies from infected devices. Lumma Stealer employs a DLL side-loaUnspecified
2
The IcedID Malware is associated with Netsupport. IcedID is a prominent malware that has been utilized in various cyber-attacks. It functions as a malicious software designed to infiltrate and damage computer systems, often through suspicious downloads, emails, or websites. Once inside a system, IcedID can steal personal information, disrupt operatUnspecified
2
The Vidar Malware is associated with Netsupport. Vidar is a Windows-based malware, written in C++, that primarily functions as an infostealer. It is based on the Arkei stealer and typically targets various types of data, using the ACR Stealer as an exfiltration module. However, in a unique twist, Vidar downloads the ACR stealer instead of stealingUnspecified
2
The Socgholish Malware is associated with Netsupport. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, MicrosofUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Battleroyal Threat Actor is associated with Netsupport. BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen Unspecified
3
The FIN7 Threat Actor is associated with Netsupport. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
2
Source Document References
Information about the Netsupport Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
24 days ago
DARKReading
a month ago
CERT-EU
8 months ago
DARKReading
4 months ago
SANS ISC
4 months ago
DARKReading
7 months ago
CERT-EU
8 months ago
CERT-EU
10 months ago
CERT-EU
8 months ago
CERT-EU
9 months ago
Trend Micro
2 years ago
SecurityIntelligence.com
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
10 months ago
CERT-EU
10 months ago