Netsupport Rat

Malware updated a month ago (2024-10-17T13:01:08.515Z)

Download STIX

Preview STIX

NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operations, or hold data hostage for ransom. NetSupport RAT is particularly dangerous because once it enters a company's system, it signals to threat actors that the PC is ready for unauthorized access, either by the threat actors themselves or to be sold on the dark web. It is important to note that while NetSupport RAT is used maliciously in this context, NetSupport is a legitimate remote software company. The malware operates via a configuration file known as "Client.ini", which contains multiple keys and values that initialize the connection to its command and control (C2). Some embedded modules contain the client32.exe file from the NetSupport RAT. When the malware runs on a victim computer, it reaches out to a C2 to notify threat actors. In addition, the Wireshark output reveals that “/fakeurl.htm” has been appended to the IP address, further identifying this IP address as our C2 for this particular NetSupport RAT sample. The cybercriminal group FIN7 has been promoting an existing malvertising campaign that targets corporate users with content from popular brands to disseminate the NetSupport RAT. This is done through various methods including luring victims to download a JavaScript file that retrieves, downloads, and runs NetSupport RAT through several stages of other JavaScript payloads. Furthermore, Silent Push disclosed a second campaign run by FIN7, designed to covertly distribute NetSupport RAT malware through lookalike sites requiring visitors to install a browser extension. Despite their simplicity, the NetSupport RAT emails analyzed have managed to bypass email security, underlining the sophistication of these attacks.

Description last updated: 2024-10-17T12:34:35.737Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Netsupport is a possible alias for Netsupport Rat. NetSupport is a legitimate remote access software that has been repurposed as malware by various cybercriminal groups. It has been observed in several high-profile cyber-attacks, including the Royal ransomware attack and operations conducted by former ITG23 members. The malware can infiltrate system	5
Netsupport Manager is a possible alias for Netsupport Rat. NetSupport Manager is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. The malware has been detected by InsightIDR Attacker Behavio	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Linux

Windows

Rat

Trojan

Wordpress

Discord

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Socgholish Malware is associated with Netsupport Rat. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, Microsof	Unspecified	3
The Lumma Stealer Malware is associated with Netsupport Rat. Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was di	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The FIN7 Threat Actor is associated with Netsupport Rat. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	3

Source Document References

Information about the Netsupport Rat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	AI 'Nude Photo Generator' Delivers Infostealers, Not Images
InfoSecurity-magazine	2 months ago	FIN7 Gang Hides Malware in AI “Deepnude” Sites
CERT-EU	9 months ago	Car Insurance Emails Drives for NetSupport RAT Infection
Securityaffairs	7 months ago	TA547 targets German organizations with Rhadamanthys malware
DARKReading	8 months ago	'PhantomBlu' Cyberattackers Backdoor Microsoft Office Users via OLE
CERT-EU	9 months ago	Car Insurance Emails Drives for NetSupport RAT Infection – Global Security Mag Online
Securityaffairs	a year ago	A malvertising campaign is delivering a new version of macOS Atomic Stealer
Trend Micro	2 years ago	New OpcJacker Malware Distributed via Fake VPN Malvertising
CERT-EU	a year ago	Fake Chrome Browser Update Installs NetSupport Manager RAT
BankInfoSecurity	a year ago	Fake Browser Updates Used to Deploy Malware
CERT-EU	a year ago	Updated Atomic Stealer spread in new Mac malvertising campaign
CERT-EU	a year ago	Konni Group Uses Weaponized Word Documents to Deliver RAT Malware
CERT-EU	a year ago	The RAT King “NetSupport RAT” is Back in Action Via fake browser updates
CERT-EU	a year ago	Increasingly prevalent NetSupport RAT infections reported
CERT-EU	a year ago	NetSupport RAT Infections on the Rise - Targeting Government and Business Sectors
Malwarebytes	a year ago	FakeSG enters the 'FakeUpdates' arena to deliver NetSupport RAT
CERT-EU	a year ago	Researchers Warn NetSupport RAT Attacks Are on the Rise
Malwarebytes	a year ago	Mac users targeted in new malvertising campaign delivering Atomic Stealer
CERT-EU	a year ago	Ransomware Surges in Nuspire’s Q2 2023 Threat Report
Securityaffairs	a year ago	Experts warn of a surge in NetSupport RAT attacks