Netsupport Manager

Malware Profile Updated a month ago
Download STIX
Preview STIX
NetSupport Manager is a malicious software (malware) that poses significant threats to computer systems and networks. It is often disguised as legitimate software or tools, such as the 7-zip compression utility or a fake Chrome browser update, to trick users into downloading and installing it. Once installed, NetSupport Manager can grant cybercriminals control over victim computers and access to their data. One of its key characteristics is its ability to spawn suspicious processes, such as those detected by InsightIDR Attacker Behavior Analytics. These include processes spawned by Outlook Web Access and modification of files in Exchange Webroot. The malware was observed in various cyber-attack campaigns. In June 2020, IcedID and NetSupport Manager RAT-based malware were delivered on a Windows 7 host. In another instance, Trellix exposed a scheme where the malware was snuck onto victims' computers via fake Chrome browser updates. Kroll's investigation suggested that Royal ransomware actors likely gained access to a network by purchasing it from an unrelated actor, installing a renamed version of NetSupport Manager in the process. The malware also featured prominently in the Storm-1811 campaign led by Microsoft, where it was used alongside other malware like Qakbot and Cobalt Strike to compromise devices. NetSupport Manager's potency lies in its ability to maintain control over compromised devices, allowing cybercriminals to download and install additional malware and launch arbitrary commands. The malware uses a configuration file ("client32.ini") that reveals the IP address of the NetSupport Manager (the C2). This capability was utilized in the PhantomBlu campaign, where attackers impersonated an accounting service to deliver the notorious NetSupport RAT. Upon extraction via the downloaded 7-zip utility, execution occurs via a scheduled task, orchestrated by the "2.bat" batch file. This file also ensures persistence for the RAT, triggering automatic execution upon system startup.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Netsupport
4
NetSupport is a malicious software (malware) that has been used in various cyberattacks, including the Royal Ransomware attack and assaults by former ITG23 members. It can infiltrate systems through suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or
client32.exe
1
None
Gozi
1
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
Qwixxrat
1
QwixxRAT is a new form of malware that emerged in August 2023, as reported by SC Magazine and The Hacker News. This information-stealing software has been actively promoted on platforms like Discord and Telegram by threat actors. It's part of an ongoing malicious campaign alongside the deployment of
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Rmm
Windows
Phishing
Trellix
Scam
Trojan
Chrome
Microsoft
Payload
Spam
Outlook
Rat
Discord
Telegram
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
QakBotUnspecified
3
Qakbot, also known as QBot, is a versatile piece of malware capable of executing several malicious activities such as brute-forcing, web injects, and loading other types of malware. It's often used to steal credentials and gather information, with the cybercriminal group Black Basta being one notabl
Netsupport RatUnspecified
2
NetSupport RAT is a type of malware that can significantly compromise an organization's digital security. Originally derived from the legitimate NetSupport Manager, a remote technical support tool, this malware infects systems through suspicious downloads, emails, or websites, often unbeknownst to t
IcedIDUnspecified
2
IcedID is a type of malware, or malicious software, designed to exploit and harm computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, IcedID can steal personal information, disrupt operations, or even hold dat
Royal RansomwareUnspecified
2
Royal Ransomware is a type of malware that has been causing significant disruptions in various sectors, particularly in the United States. Originating from the now-defunct Conti ransomware operation, Royal Ransomware was notorious for its multi-threaded encryption and ability to kill processes withi
Black BastaUnspecified
2
Black Basta is a notorious malware group known for its malicious software, specifically ransomware attacks. Since early 2022, the Black Basta Ransomware gang has been actively involved in cybercrimes, amassing at least $107 million in Bitcoin ransom payments. The group's modus operandi involves expl
Lumma StealerUnspecified
1
Lumma Stealer is a malicious software, or malware, that targets cryptocurrency wallets and browser user data. It has been particularly prevalent in the gaming community, with cracked video games and cheating tools often found to contain infostealer malware such as Lumma Stealer and RedLine Stealer.
Smoke LoaderUnspecified
1
Smoke Loader is a prominent type of malware identified by the SCPC SSSCIP, used in recent attacks primarily targeting Ukrainian organizations. This malicious software is often delivered via IPFS links by malware families such as Smoke Loader, XLoader, XMRig, and OriginLogger, disrupting operations a
Redline StealerUnspecified
1
RedLine Stealer is a malicious software that was used to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. In July 2023, Unit 42 conducted an analysis of a RedLine Stealer infection using Wireshark, a network protocol analyzer. The analysis in
SocgholishUnspecified
1
SocGholish is a harmful malware known for its deceptive methods of infection, often impersonating legitimate browser updates to distribute Remote Access Trojans. This malicious software infiltrates systems through suspicious downloads, emails, or websites, typically without the user's knowledge. Onc
Sectop RatUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Netsupport Manager Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
SANS ISC
a month ago
New NetSupport Campaign Delivered Through MSIX Packages - SANS Internet Storm Center
BankInfoSecurity
2 months ago
Breach Roundup: Kimsuky Serves Linux Trojan
InfoSecurity-magazine
2 months ago
Windows Quick Assist Exploited in Ransomware Attacks
DARKReading
2 months ago
Windows Quick Assist Anchors Black Basta Ransomware Gambit
DARKReading
4 months ago
'PhantomBlu' Cyberattackers Backdoor Microsoft Office Users via OLE
CERT-EU
10 months ago
Critical Chrome Update Counters Spyware Vendor's Exploits
CERT-EU
a year ago
Fake Chrome Browser Update Installs NetSupport Manager RAT
CERT-EU
a year ago
Data exfiltration tools by APT31 group detailed
CERT-EU
a year ago
Infostealers expose 100K hackers' computers
CERT-EU
a year ago
From a Zalando Phishing to a RAT - SANS Internet Storm Center
CERT-EU
8 months ago
Researchers Warn NetSupport RAT Attacks Are on the Rise
CERT-EU
a year ago
New QwixxRAT emerges, NetSupport Manager RAT deployed in new campaign
CERT-EU
a year ago
Royal Ransomware Deep Dive | Kroll | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security
CERT-EU
a year ago
Over 100K hackers fall victim to infostealer malware
CERT-EU
a year ago
Fake Chrome Browser Update Installs NetSupport Manager RAT | IT Security News
Securityaffairs
8 months ago
Experts warn of a surge in NetSupport RAT attacks
CERT-EU
a year ago
Updated Raccoon Stealer better evades detection
CERT-EU
a year ago
LolekHosted seized, five admins arrested following police operation
CERT-EU
8 months ago
Netsupport Intrusion Results in Domain Compromise
CERT-EU
6 months ago
Microsoft Disables App Installer After Feature is Abused for Malware