Netsupport Rat

Malware updated 15 hours ago (2024-10-17T13:01:08.515Z)
Download STIX
Preview STIX
NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operations, or hold data hostage for ransom. NetSupport RAT is particularly dangerous because once it enters a company's system, it signals to threat actors that the PC is ready for unauthorized access, either by the threat actors themselves or to be sold on the dark web. It is important to note that while NetSupport RAT is used maliciously in this context, NetSupport is a legitimate remote software company. The malware operates via a configuration file known as "Client.ini", which contains multiple keys and values that initialize the connection to its command and control (C2). Some embedded modules contain the client32.exe file from the NetSupport RAT. When the malware runs on a victim computer, it reaches out to a C2 to notify threat actors. In addition, the Wireshark output reveals that “/fakeurl.htm” has been appended to the IP address, further identifying this IP address as our C2 for this particular NetSupport RAT sample. The cybercriminal group FIN7 has been promoting an existing malvertising campaign that targets corporate users with content from popular brands to disseminate the NetSupport RAT. This is done through various methods including luring victims to download a JavaScript file that retrieves, downloads, and runs NetSupport RAT through several stages of other JavaScript payloads. Furthermore, Silent Push disclosed a second campaign run by FIN7, designed to covertly distribute NetSupport RAT malware through lookalike sites requiring visitors to install a browser extension. Despite their simplicity, the NetSupport RAT emails analyzed have managed to bypass email security, underlining the sophistication of these attacks.
Description last updated: 2024-10-17T12:34:35.737Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Netsupport is a possible alias for Netsupport Rat. NetSupport is a legitimate remote access software that has been exploited as a malware tool by various threat actors. It's often used in combination with other malicious software like BlackBasta Ransomware, IcedID, and occasionally Lumma Stealer, the most common infostealer in the world today. The m
5
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Linux
Windows
Rat
Trojan
Wordpress
Discord
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Socgholish Malware is associated with Netsupport Rat. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, MicrosofUnspecified
3
The Netsupport Manager Malware is associated with Netsupport Rat. NetSupport Manager is a malicious software (malware) that poses significant threats to computer systems and networks. It is often disguised as legitimate software or tools, such as the 7-zip compression utility or a fake Chrome browser update, to trick users into downloading and installing it. Once Unspecified
2
The Lumma Stealer Malware is associated with Netsupport Rat. Lumma Stealer is a highly sophisticated malware variant known for its extensive data-harvesting capabilities. It is designed to steal sensitive information such as passwords, card details, cryptocurrency wallets, and browser session cookies from infected devices. Lumma Stealer employs a DLL side-loaUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The FIN7 Threat Actor is associated with Netsupport Rat. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
3
Source Document References
Information about the Netsupport Rat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
14 days ago
InfoSecurity-magazine
15 days ago
CERT-EU
7 months ago
Securityaffairs
6 months ago
DARKReading
7 months ago
CERT-EU
7 months ago
Securityaffairs
a year ago
Trend Micro
2 years ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Malwarebytes
a year ago
CERT-EU
a year ago
Malwarebytes
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago