NetSupportManager RAT (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.netsupportmanager_rat (Back to overview)

NetSupportManager RAT

aka: NetSupport

VTCollection URLhaus

Enigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty years ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or provide remote computer assistance. However, cyber crooks have hijacked this useful application and misappropriated it to use it in their harmful campaigns. The name of the modified version of the NetSupport Manager has been labeled the NetSupport Manager RAT.

References

2024-03-18 ⋅ Perception Point ⋅ Ariel Davidpur, Peleg Cabra
Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT
NetSupportManager RAT

2024-02-26 ⋅ Twitter (@embee_research) ⋅ Embee_research
Advanced CyberChef Techniques for Configuration Extraction - Detailed Walkthrough and Examples
NetSupportManager RAT

2024-02-25 ⋅ YouTube (Embee Research) ⋅ Embee_research
My Longest CyberChef Recipe Ever - 22 Operation Configuration Extractor
NetSupportManager RAT

2024-01-23 ⋅ Medium ad12347 ⋅ Ariel Davidpur
NetSupport RAT hits again with new IOCs
NetSupportManager RAT

2023-11-20 ⋅ vmware ⋅ Abe Schneider, Alan Ngo, Alex Murillo, Fae Carlisle, Nikki Benoit
NetSupport RAT: The RAT King Returns
NetSupportManager RAT

2023-10-27 ⋅ Elastic ⋅ Joe Desimone, Salim Bitam
GHOSTPULSE haunts victims using defense evasion bag o' tricks
HijackLoader Lumma Stealer NetSupportManager RAT Rhadamanthys SectopRAT Vidar

2023-10-26 ⋅ Medium walmartglobaltech ⋅ Jonathan Mccay
SmartApeSG
NetSupportManager RAT

2023-09-06 ⋅ Malwarebytes ⋅ Jérôme Segura
Mac users targeted in new malvertising campaign delivering Atomic Stealer
AMOS NetSupportManager RAT

2023-08-10 ⋅ Trellix ⋅ Antonio Ribeiro, Jonell Baltazar
Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAT
NetSupportManager RAT

2023-03-29 ⋅ Trend Micro ⋅ Jaromír Hořejší, Joseph C Chen
New OpcJacker Malware Distributed via Fake VPN Malvertising
NetSupportManager RAT OpcJacker

2023-01-06 ⋅ AhnLab ⋅ ASEC
Distribution of NetSupport RAT Malware Disguised as a Pokemon Game
NetSupportManager RAT

2022-09-15 ⋅ Sekoia ⋅ Threat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer

2022-05-25 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT

2022-04-11 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Fake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer
Mars Stealer NetSupportManager RAT

2022-04-07 ⋅ Bleeping Computer ⋅ Bill Toulas
Malicious web redirect service infects 16,500 sites to push malware
NetSupportManager RAT

2022-04-07 ⋅ Avast Decoded ⋅ Jan Rubín, Pavel Novák
Parrot TDS takes over web servers and threatens millions
FAKEUPDATES Parrot TDS Parrot TDS WebShell NetSupportManager RAT

2020-11-02 ⋅ SUCURI ⋅ Denis Sinegubko
CSS-JS Steganography in Fake Flash Player Update Malware
magecart NetSupportManager RAT

2020-05-22 ⋅ Positive Technologies ⋅ PT ESC Threat Intelligence
Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.
NetSupportManager RAT ServHelper

2020-03-19 ⋅ Prevailion ⋅ Prevailion
The Curious Case of the Criminal Curriculum Vitae
LALALA Stealer NetSupportManager RAT Rekt Loader

2017-09-01 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware
NetSupportManager RAT

2016-09-30 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Hacked Steam accounts spreading Remote Access Trojan
NetSupportManager RAT

2013-01-01 ⋅ NetSupport Manager ⋅ NetSupport Manager
NetSupport Manager Website
NetSupportManager RAT

Yara Rules

[TLP:WHITE] win_netsupportmanager_rat_auto (20230808 | Detects win.netsupportmanager_rat.)

rule win_netsupportmanager_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.netsupportmanager_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8b7df0 3bfb c745fcffffffff 7410 8bcf e8???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8b7df0               | mov                 edi, dword ptr [ebp - 0x10]
            //   3bfb                 | cmp                 edi, ebx
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   7410                 | je                  0x12
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_1 = { f3a4 8d4dfc 51 e8???????? 83c404 663dffff 668945dc }
            // n = 7, score = 100
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   663dffff             | cmp                 ax, 0xffff
            //   668945dc             | mov                 word ptr [ebp - 0x24], ax

        $sequence_2 = { e8???????? 8bcb e8???????? 8b4510 8b08 894b34 8b5004 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   894b34               | mov                 dword ptr [ebx + 0x34], ecx
            //   8b5004               | mov                 edx, dword ptr [eax + 4]

        $sequence_3 = { ff15???????? 85ff 7417 8b1b 81e7ffff0000 6a00 57 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85ff                 | test                edi, edi
            //   7417                 | je                  0x19
            //   8b1b                 | mov                 ebx, dword ptr [ebx]
            //   81e7ffff0000         | and                 edi, 0xffff
            //   6a00                 | push                0
            //   57                   | push                edi

        $sequence_4 = { c644020400 e8???????? 8b8558ffffff 83c404 85c0 7514 8b9550ffffff }
            // n = 7, score = 100
            //   c644020400           | mov                 byte ptr [edx + eax + 4], 0
            //   e8????????           |                     
            //   8b8558ffffff         | mov                 eax, dword ptr [ebp - 0xa8]
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7514                 | jne                 0x16
            //   8b9550ffffff         | mov                 edx, dword ptr [ebp - 0xb0]

        $sequence_5 = { e8???????? 8b9750030000 52 e8???????? 8b450c 8b7510 83c408 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b9750030000         | mov                 edx, dword ptr [edi + 0x350]
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   83c408               | add                 esp, 8

        $sequence_6 = { ff15???????? 85c0 750e 8b45e8 8b4de4 50 51 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_7 = { e8???????? eb02 33c0 c645fc01 8bf0 3bf3 7547 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   8bf0                 | mov                 esi, eax
            //   3bf3                 | cmp                 esi, ebx
            //   7547                 | jne                 0x49

        $sequence_8 = { e9???????? 686c010000 e8???????? 8bf0 83c404 897508 85f6 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   686c010000           | push                0x16c
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c404               | add                 esp, 4
            //   897508               | mov                 dword ptr [ebp + 8], esi
            //   85f6                 | test                esi, esi

        $sequence_9 = { 8d4df0 c745fc00000000 e8???????? 8b4704 85c0 7609 83f8ff }
            // n = 7, score = 100
            //   8d4df0               | lea                 ecx, [ebp - 0x10]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   e8????????           |                     
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   85c0                 | test                eax, eax
            //   7609                 | jbe                 0xb
            //   83f8ff               | cmp                 eax, -1

    condition:
        7 of them and filesize < 4734976
}

Download all Yara Rules

NetSupportManager RAT Propose Change

References

Yara Rules

NetSupportManager RAT