Detecting evolving threats: NetSupport RAT campaign

    Friday, August 2, 2024 In: Threat Research Print

    Date: 08/02/2024

    Severity: Medium

    Summary

    The "NetSupport RAT campaign" refers to cyberattacks where attackers use the NetSupport Remote Access Tool (RAT) to gain unauthorized control of targeted systems. The RAT, initially a legitimate tool for IT support, is exploited by cybercriminals to remotely access, monitor, and manipulate infected computers. These attacks typically spread through phishing emails or malicious downloads. The primary goals of the campaign are to steal sensitive information, deploy further malware, and disrupt operations. Effective prevention involves cautious handling of email attachments, maintaining up-to-date software, and using robust security measures.

    Indicators of Compromise (IOC) List

    URL/Domains

    electricnico.com

    jennifergalvin.com

    ripnoticebook.com

    scorelineupdate.com

    proexbit.com

    kineticwing.com

    suezey.com

    choosetotruck.com

    ratingsentry.com

    Hash

    38237cf618c736f7fbdcd780c9c8e141624e8b6577f2c4a912a64a1df46b2e9e

2395968d6e544bcbdb3f215c1d3af03b0395cbd1145822d153ab97991375633d

9352692f8aeb2084c830d39e81583b5c4350bfa790022e45a855c9e233203e40

2f992a6af255696edf8f8d6567493d22e7e0691b2c3fb344d8fe52f42e117e8e

f35bb23885b18d4edc1fa0a09caaf868da5bdf2db23a31db7d5929a5860063e9

9454e8da1bb80ad290f61f8a967178f52a022513e568c520c80b857a1c6e1180

a879ed35663d68927b7684a88890777134059bab42073cf3f7b6268bfb1cb56a

c0be5fc0d9b7e92c614074879e960c78119a5cc3d4ca8284b2bd51c0412cdbae

1daf92e90a6de78449bbb1330b484cb284cfb8e045d20fcd9c6a4a56882240ad

8a3784e2ce325fa9ed4610fb0f6d7587a2a78d50ca29feaf16dd28aee0454c64

8f1c11ed873bab55f9b08d6422c70dc4280c2cbaac6eab4e438e0c5d8896d98b

41632e707f7129a25d16c9137bdf4ce4f819a542ed33d8c444f9bd5693ecb975

21502ddcd8d18c335b1b6ef4910cd76a88c5100e9228a375c7100e3f3b7e41da

4464da29939191496f2425ae92839f7f41b551a40fcf50069e085d1f92e989d1

01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e

73b0335a15ff8d61314ca82aec71dc1adeec34df3a21880bb6f6a1ae2e71455b

f545c3a28e8c0ff19f3eb4010bbd399e7940a99a5ce4a43faa47eb40e149ddbd

a0a49e4f9426034aa104ab15a0468e986684d68967d9cbef94ef12921b2205b8

bcf2bbf3f992cc2d41c2f3505c37000f995c77597807258944493a6f27d04f3f

8cdb416e346952629162db6ee6109b7e931e00bc1514e9e660c60879e554782b

18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

9b77ce9fb306d0cefc655ac7344838ec9484100b5353d5d73ef005db46b53369

3b27733580b86829aee675376c83547a4eadd5835edf40960cabbb76a7a200ee

2e211cca3a02e1249a748a6c3cf388913db257d0f6d45ecf48d6c81e94f67fad

d8f2134faeed8cf62887aaad8403ab7f29b5cd26cd03b81cb59774442d97fc0e

2e8ff2db588fc637412589c93981bf37716dbce9ea1f82142749e48179b73071

fa8b88f2557b5327eee47509cff3a243618676f077a7efd65e1660935e7ab635

70c56698865a3a31045402db6e4519df4aa27c8b356a6e16c3ed2bd32ef74f7c

8e7c5894e2c459d3bbbb7467e0383bda2f41dc62f067d162d1e064be96a58e04

4cacf6916e64206af56a41a1fdee3efb22cd5ecda2af7913a31cf693a091138c

16e398fde0402d867aa2858f67df7ac19b574c16075005d08a9d4be672848b77

15974cc1a297a2b37103bda318f3cb2d3ee98c68703daa396e86e005d8495a94

436e62fb9aacb2e384afd06ee8afbaa83aa152059361089caa7853b508bac212

a95fe0e3b0cb3c0a172eef317d1b213f8572156dc44026f470add87e563bb3d1

3f5acc348442c7a5bfc86ad289e99612f98326b66c5d884f370421945d9fdaea

0309d9e1ca19f478f49ee5b7959f9682c1b312e61eb01be60eaf20b61c9b9d70

38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

a84cac613d27ffdbac9495f1247bf9ae4f708ba17bcd230ed2e2c5e4ba483370

eebb69a2374dbd4def5e52e2264b544e02abdc1cc0114e5137f4d49ce3c50beb

28468908b5d79b9057c16cc926c1e2fb4bea63583a9f8a1d84904e7094990e07

8e80ef39598af430c35f4cd6d5d33792b2ba53a2360b2612ce3dd00b756cc48b

c54790d3a55474170352a4c9a3867afca0450552d9933f6b9b9a32855058e59e

87f7bcc587a5f2a7d06e12311c0ef8fb318515f4eec83832ff0a017e3e60638a

6157383e222feaaf36342901bd57e993f1136c9875e8325c68fad30d9c21d4b8

7791a5f2d1b2aabc186a9f42cd7d78657dc4e970f05ecb65ea729cf8643de90e

dfc2f4224b59068488be9177b2b3c9c3998404a0bb34177a6a016339fd1a1a1a

878cd20bb0e4997b3da982dc01a4bdeb125c53ab93662afbc8ccfeac7b48d9cb

8346d8f6adf67626c8210a95a4f2723a66014dceff0b3a2ab5ac0b3bc3524f48

12e3fcad2aed271726f488479ce3356a2dc075e89ac69db143f6bfb81af690a1

c815a6b53d44a2ab5e62fe0179cbdcb84512d59fd50cfc97ed4e368a1685b66e

3b587d0c311e8ebc3bb104d564235c41ef8e64592c7419f17f48e0cee9ebc878

7e95b7ab72daae1e7aa956a9b6dd4851061f158bef76dbfcfdfca0d3a54753c7

63cb5991b933cede5eb0f42e155b5ad1cf94300c3ce4b7c0a9892829dbf0f966

f2bf9a151a6663d7c24d8a7c2d94b6133e9b32580bdeef8cd2ece054535eba26

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "electricnico.com" or url like "electricnico.com" or userdomainname like "jennifergalvin.com" or url like "jennifergalvin.com" or userdomainname like "ripnoticebook.com" or url like "ripnoticebook.com" or userdomainname like "scorelineupdate.com" or url like "scorelineupdate.com" or userdomainname like "proexbit.com" or url like "proexbit.com" or userdomainname like "kineticwing.com" or url like "kineticwing.com" or userdomainname like "suezey.com" or url like "suezey.com" or userdomainname like "choosetotruck.com" or url like "choosetotruck.com" or userdomainname like "ratingsentry.com" or url like "ratingsentry.com"

    Query 1

    sha256hash IN ("38237cf618c736f7fbdcd780c9c8e141624e8b6577f2c4a912a64a1df46b2e9e","2395968d6e544bcbdb3f215c1d3af03b0395cbd1145822d153ab97991375633d","9352692f8aeb2084c830d39e81583b5c4350bfa790022e45a855c9e233203e40","2f992a6af255696edf8f8d6567493d22e7e0691b2c3fb344d8fe52f42e117e8e","f35bb23885b18d4edc1fa0a09caaf868da5bdf2db23a31db7d5929a5860063e9","9454e8da1bb80ad290f61f8a967178f52a022513e568c520c80b857a1c6e1180","a879ed35663d68927b7684a88890777134059bab42073cf3f7b6268bfb1cb56a","c0be5fc0d9b7e92c614074879e960c78119a5cc3d4ca8284b2bd51c0412cdbae","1daf92e90a6de78449bbb1330b484cb284cfb8e045d20fcd9c6a4a56882240ad","8a3784e2ce325fa9ed4610fb0f6d7587a2a78d50ca29feaf16dd28aee0454c64","8f1c11ed873bab55f9b08d6422c70dc4280c2cbaac6eab4e438e0c5d8896d98b","41632e707f7129a25d16c9137bdf4ce4f819a542ed33d8c444f9bd5693ecb975","21502ddcd8d18c335b1b6ef4910cd76a88c5100e9228a375c7100e3f3b7e41da","4464da29939191496f2425ae92839f7f41b551a40fcf50069e085d1f92e989d1","01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e","73b0335a15ff8d61314ca82aec71dc1adeec34df3a21880bb6f6a1ae2e71455b","f545c3a28e8c0ff19f3eb4010bbd399e7940a99a5ce4a43faa47eb40e149ddbd","a0a49e4f9426034aa104ab15a0468e986684d68967d9cbef94ef12921b2205b8")

    Query 2

    sha256hash IN ("bcf2bbf3f992cc2d41c2f3505c37000f995c77597807258944493a6f27d04f3f","8cdb416e346952629162db6ee6109b7e931e00bc1514e9e660c60879e554782b","18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d","9b77ce9fb306d0cefc655ac7344838ec9484100b5353d5d73ef005db46b53369","3b27733580b86829aee675376c83547a4eadd5835edf40960cabbb76a7a200ee","2e211cca3a02e1249a748a6c3cf388913db257d0f6d45ecf48d6c81e94f67fad","d8f2134faeed8cf62887aaad8403ab7f29b5cd26cd03b81cb59774442d97fc0e","2e8ff2db588fc637412589c93981bf37716dbce9ea1f82142749e48179b73071","fa8b88f2557b5327eee47509cff3a243618676f077a7efd65e1660935e7ab635","70c56698865a3a31045402db6e4519df4aa27c8b356a6e16c3ed2bd32ef74f7c","8e7c5894e2c459d3bbbb7467e0383bda2f41dc62f067d162d1e064be96a58e04","4cacf6916e64206af56a41a1fdee3efb22cd5ecda2af7913a31cf693a091138c","16e398fde0402d867aa2858f67df7ac19b574c16075005d08a9d4be672848b77","15974cc1a297a2b37103bda318f3cb2d3ee98c68703daa396e86e005d8495a94","436e62fb9aacb2e384afd06ee8afbaa83aa152059361089caa7853b508bac212","a95fe0e3b0cb3c0a172eef317d1b213f8572156dc44026f470add87e563bb3d1","3f5acc348442c7a5bfc86ad289e99612f98326b66c5d884f370421945d9fdaea","0309d9e1ca19f478f49ee5b7959f9682c1b312e61eb01be60eaf20b61c9b9d70")

    Query 3

    sha256hash IN ("38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5","a84cac613d27ffdbac9495f1247bf9ae4f708ba17bcd230ed2e2c5e4ba483370","eebb69a2374dbd4def5e52e2264b544e02abdc1cc0114e5137f4d49ce3c50beb","28468908b5d79b9057c16cc926c1e2fb4bea63583a9f8a1d84904e7094990e07","8e80ef39598af430c35f4cd6d5d33792b2ba53a2360b2612ce3dd00b756cc48b","c54790d3a55474170352a4c9a3867afca0450552d9933f6b9b9a32855058e59e","87f7bcc587a5f2a7d06e12311c0ef8fb318515f4eec83832ff0a017e3e60638a","6157383e222feaaf36342901bd57e993f1136c9875e8325c68fad30d9c21d4b8","7791a5f2d1b2aabc186a9f42cd7d78657dc4e970f05ecb65ea729cf8643de90e","dfc2f4224b59068488be9177b2b3c9c3998404a0bb34177a6a016339fd1a1a1a","878cd20bb0e4997b3da982dc01a4bdeb125c53ab93662afbc8ccfeac7b48d9cb","8346d8f6adf67626c8210a95a4f2723a66014dceff0b3a2ab5ac0b3bc3524f48","12e3fcad2aed271726f488479ce3356a2dc075e89ac69db143f6bfb81af690a1","c815a6b53d44a2ab5e62fe0179cbdcb84512d59fd50cfc97ed4e368a1685b66e","3b587d0c311e8ebc3bb104d564235c41ef8e64592c7419f17f48e0cee9ebc878","7e95b7ab72daae1e7aa956a9b6dd4851061f158bef76dbfcfdfca0d3a54753c7","63cb5991b933cede5eb0f42e155b5ad1cf94300c3ce4b7c0a9892829dbf0f966","f2bf9a151a6663d7c24d8a7c2d94b6133e9b32580bdeef8cd2ece054535eba26")

    Reference:

    https://blog.talosintelligence.com/detecting-evolving-threats-netsupport-rat/

    https://github.com/Cisco-Talos/IOCs/blob/main/2024/08/detecting-evolving-threats-netsupport-rat.txt

     

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.