Netsupport Manager

Malware updated 3 months ago (2024-06-17T10:17:33.235Z)
Download STIX
Preview STIX
NetSupport Manager is a malicious software (malware) that poses significant threats to computer systems and networks. It is often disguised as legitimate software or tools, such as the 7-zip compression utility or a fake Chrome browser update, to trick users into downloading and installing it. Once installed, NetSupport Manager can grant cybercriminals control over victim computers and access to their data. One of its key characteristics is its ability to spawn suspicious processes, such as those detected by InsightIDR Attacker Behavior Analytics. These include processes spawned by Outlook Web Access and modification of files in Exchange Webroot. The malware was observed in various cyber-attack campaigns. In June 2020, IcedID and NetSupport Manager RAT-based malware were delivered on a Windows 7 host. In another instance, Trellix exposed a scheme where the malware was snuck onto victims' computers via fake Chrome browser updates. Kroll's investigation suggested that Royal ransomware actors likely gained access to a network by purchasing it from an unrelated actor, installing a renamed version of NetSupport Manager in the process. The malware also featured prominently in the Storm-1811 campaign led by Microsoft, where it was used alongside other malware like Qakbot and Cobalt Strike to compromise devices. NetSupport Manager's potency lies in its ability to maintain control over compromised devices, allowing cybercriminals to download and install additional malware and launch arbitrary commands. The malware uses a configuration file ("client32.ini") that reveals the IP address of the NetSupport Manager (the C2). This capability was utilized in the PhantomBlu campaign, where attackers impersonated an accounting service to deliver the notorious NetSupport RAT. Upon extraction via the downloaded 7-zip utility, execution occurs via a scheduled task, orchestrated by the "2.bat" batch file. This file also ensures persistence for the RAT, triggering automatic execution upon system startup.
Description last updated: 2024-06-17T10:16:06.200Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Netsupport
4
NetSupport is a malicious software (malware) that has been used in various cyberattacks, including the Royal Ransomware attack and assaults by former ITG23 members. It can infiltrate systems through suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Rmm
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
QakBotUnspecified
3
Qakbot is a type of malware that has been linked to various cybercriminal activities, with its presence first observed as early as 2020. It gained notoriety for its role in the operations of the Black Basta ransomware group, which used Qakbot extensively in sophisticated phishing campaigns. The malw
Netsupport RatUnspecified
2
NetSupport RAT is a type of malware that can significantly compromise an organization's digital security. Originally derived from the legitimate NetSupport Manager, a remote technical support tool, this malware infects systems through suspicious downloads, emails, or websites, often unbeknownst to t
Black BastaUnspecified
2
Black Basta is a notorious malware group known for its ransomware activities. The group has been active since at least early 2022, during which time it has accumulated an estimated $107 million in Bitcoin ransom payments. It leverages malicious software to infiltrate and exploit computer systems, of
Royal RansomwareUnspecified
2
The Royal Ransomware, a harmful malware program designed to exploit and damage computer systems, operated from September 2022 through June 2023. It employed multi-threaded encryption to disrupt operations and hold data hostage for ransom. The ransomware was primarily disseminated through suspicious
IcedIDUnspecified
2
IcedID is a malicious software (malware) that has been linked to various cybercrime operations. The malware can infiltrate systems via suspicious downloads, emails, or websites and proceed to steal personal information, disrupt operations, or hold data for ransom. IcedID has been associated with oth
Source Document References
Information about the Netsupport Manager Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
SANS ISC
3 months ago
New NetSupport Campaign Delivered Through MSIX Packages - SANS Internet Storm Center
BankInfoSecurity
4 months ago
Breach Roundup: Kimsuky Serves Linux Trojan
InfoSecurity-magazine
4 months ago
Windows Quick Assist Exploited in Ransomware Attacks
DARKReading
4 months ago
Windows Quick Assist Anchors Black Basta Ransomware Gambit
DARKReading
6 months ago
'PhantomBlu' Cyberattackers Backdoor Microsoft Office Users via OLE
CERT-EU
a year ago
Critical Chrome Update Counters Spyware Vendor's Exploits
CERT-EU
a year ago
Fake Chrome Browser Update Installs NetSupport Manager RAT
CERT-EU
a year ago
Data exfiltration tools by APT31 group detailed
CERT-EU
a year ago
Infostealers expose 100K hackers' computers
CERT-EU
a year ago
From a Zalando Phishing to a RAT - SANS Internet Storm Center
CERT-EU
9 months ago
Researchers Warn NetSupport RAT Attacks Are on the Rise
CERT-EU
a year ago
New QwixxRAT emerges, NetSupport Manager RAT deployed in new campaign
CERT-EU
2 years ago
Royal Ransomware Deep Dive | Kroll | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security
CERT-EU
a year ago
Over 100K hackers fall victim to infostealer malware
CERT-EU
a year ago
Fake Chrome Browser Update Installs NetSupport Manager RAT | IT Security News
Securityaffairs
10 months ago
Experts warn of a surge in NetSupport RAT attacks
CERT-EU
a year ago
Updated Raccoon Stealer better evades detection
CERT-EU
a year ago
LolekHosted seized, five admins arrested following police operation
CERT-EU
10 months ago
Netsupport Intrusion Results in Domain Compromise
CERT-EU
8 months ago
Microsoft Disables App Installer After Feature is Abused for Malware