Netsupport Manager

Malware updated 23 days ago (2024-11-29T14:40:24.771Z)
Download STIX
Preview STIX
NetSupport Manager is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. The malware has been detected by InsightIDR Attacker Behavior Analytics due to its suspicious process and modification of files. The attacker uses the 7zip compression utility and the NetSupport Manager remote access tool to carry out their activities. In one instance in June 2020, both IcedID and NetSupport Manager RAT-based malware were delivered as follow-up malware on a Windows 7 host. The malware has been used in various schemes, such as fake Chrome browser updates, to sneak onto victim computers, granting cybercriminals control and data access. It was also found in an incident where Royal ransomware actors likely gained access into an environment by purchasing their way in from an unrelated actor. Once access is granted, hackers download malicious payloads, some of them masquerading as spam filter files, enabling them to install the Qakbot malware, remote management tools like ScreenConnect and NetSupport Manager, and Cobalt Strike. These actions often culminate in the deployment of Black Basta ransomware. In addition to these incidents, the NetSupport Manager has been deployed to maintain control over compromised devices, allowing further download and installation of additional malware, and launching arbitrary commands. Microsoft observed this during the Storm-1811 campaign, which delivered a flurry of malware to victim machines, including NetSupport Manager. In another campaign dubbed "PhantomBlu," attackers impersonated an accounting service in email messages inviting people to download a Microsoft Office Word file, which ultimately delivered the notorious NetSupport RAT. The malware is extracted via the downloaded 7-zip utility, executed via a scheduled task, and ensures automatic execution upon system startup.
Description last updated: 2024-11-15T16:09:08.756Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Netsupport is a possible alias for Netsupport Manager. NetSupport is a legitimate remote access software that has been repurposed as malware by various cybercriminal groups. It has been observed in several high-profile cyber-attacks, including the Royal ransomware attack and operations conducted by former ITG23 members. The malware can infiltrate system
6
Netsupport Rat is a possible alias for Netsupport Manager. NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operations
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Rmm
Chrome
Tool
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The QakBot Malware is associated with Netsupport Manager. Qakbot is a type of malware, or malicious software, that infiltrates computer systems to exploit and damage them. This harmful program can infect devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt opeUnspecified
3
The Black Basta Malware is associated with Netsupport Manager. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
2
The Royal Ransomware Malware is associated with Netsupport Manager. Royal Ransomware is a form of malware that was active from September 2022 through June 2023. This malicious software, designed to exploit and damage computers or devices, would infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it could steaUnspecified
2
The IcedID Malware is associated with Netsupport Manager. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
2
Source Document References
Information about the Netsupport Manager Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
20 days ago
Unit42
a month ago
SANS ISC
6 months ago
BankInfoSecurity
7 months ago
InfoSecurity-magazine
7 months ago
DARKReading
7 months ago
DARKReading
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago