Netsupport Rat

Malware updated a month ago (2024-11-29T14:07:17.924Z)
Download STIX
Preview STIX
NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operations, or hold data hostage for ransom. NetSupport RAT is particularly dangerous because once it enters a company's system, it signals to threat actors that the PC is ready for unauthorized access, either by the threat actors themselves or to be sold on the dark web. It is important to note that while NetSupport RAT is used maliciously in this context, NetSupport is a legitimate remote software company. The malware operates via a configuration file known as "Client.ini", which contains multiple keys and values that initialize the connection to its command and control (C2). Some embedded modules contain the client32.exe file from the NetSupport RAT. When the malware runs on a victim computer, it reaches out to a C2 to notify threat actors. In addition, the Wireshark output reveals that “/fakeurl.htm” has been appended to the IP address, further identifying this IP address as our C2 for this particular NetSupport RAT sample. The cybercriminal group FIN7 has been promoting an existing malvertising campaign that targets corporate users with content from popular brands to disseminate the NetSupport RAT. This is done through various methods including luring victims to download a JavaScript file that retrieves, downloads, and runs NetSupport RAT through several stages of other JavaScript payloads. Furthermore, Silent Push disclosed a second campaign run by FIN7, designed to covertly distribute NetSupport RAT malware through lookalike sites requiring visitors to install a browser extension. Despite their simplicity, the NetSupport RAT emails analyzed have managed to bypass email security, underlining the sophistication of these attacks.
Description last updated: 2024-10-17T12:34:35.737Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Netsupport is a possible alias for Netsupport Rat. NetSupport is a legitimate remote access software that has been repurposed as malware by various cybercriminal groups. It has been observed in several high-profile cyber-attacks, including the Royal ransomware attack and operations conducted by former ITG23 members. The malware can infiltrate system
6
Netsupport Manager is a possible alias for Netsupport Rat. NetSupport Manager is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. The malware has been detected by InsightIDR Attacker Behavio
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Linux
Windows
Rat
Trojan
Wordpress
Discord
PowerShell
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Socgholish Malware is associated with Netsupport Rat. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, MicrosofUnspecified
3
The Lumma Stealer Malware is associated with Netsupport Rat. Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was diUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The FIN7 Threat Actor is associated with Netsupport Rat. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
3
Source Document References
Information about the Netsupport Rat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
24 days ago
DARKReading
3 months ago
InfoSecurity-magazine
3 months ago
CERT-EU
10 months ago
Securityaffairs
8 months ago
DARKReading
9 months ago
CERT-EU
10 months ago
Securityaffairs
a year ago
Trend Micro
2 years ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Malwarebytes
a year ago
CERT-EU
a year ago
Malwarebytes
a year ago
CERT-EU
a year ago