Fake Software Update Abuses NetSupport Remote Access Tool


Fake Software Update Abuses NetSupport Remote Access Tool (Apr 5, 2018)

FireEye researchers have discovered a new campaign that is distributing the “NetSupport Manager” Remote Access Tool (RAT) via compromised websites. NetSupport Manager is a legitimate RAT that can be used by system administrators for remotely accessing colleague and client machines, however, the tool can also be used by threat actors for malicious purposes. The infections vector for this campaign is accomplished by threat actors by first compromising a website, which in turn offers fake updates impersonating Adobe Flash, Chrome, and Firefox. If a user visits one of the websites, a malicious JavaScript file is downloaded, typically from a DropBox link. The Javascript retrieves and subsequently send basic system information to a C2 before downloading the NetSupport Manager payload.

Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Furthermore, real-time protection software should be in place to assist in preventing automatic downloads from websites.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.