SYMBOLCOMMON_NAMEaka. SYNONYMS
win.netsupportmanager_rat (Back to overview)

NetSupportManager RAT

aka: NetSupport
URLhaus    

Enigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty years ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or provide remote computer assistance. However, cyber crooks have hijacked this useful application and misappropriated it to use it in their harmful campaigns. The name of the modified version of the NetSupport Manager has been labeled the NetSupport Manager RAT.

References
2023-03-29Trend MicroJaromír Hořejší, Joseph C Chen
@online{hoej:20230329:new:705592f, author = {Jaromír Hořejší and Joseph C Chen}, title = {{New OpcJacker Malware Distributed via Fake VPN Malvertising}}, date = {2023-03-29}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html}, language = {English}, urldate = {2023-04-25} } New OpcJacker Malware Distributed via Fake VPN Malvertising
NetSupportManager RAT OpcJacker
2023-01-06AhnLabASEC
@online{asec:20230106:distribution:dd88acd, author = {ASEC}, title = {{Distribution of NetSupport RAT Malware Disguised as a Pokemon Game}}, date = {2023-01-06}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/45312/}, language = {English}, urldate = {2023-03-20} } Distribution of NetSupport RAT Malware Disguised as a Pokemon Game
NetSupportManager RAT
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-05-25Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20220525:socgholish:f876e0e, author = {Jason Reaves and Joshua Platt}, title = {{SocGholish Campaigns and Initial Access Kit}}, date = {2022-05-25}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee}, language = {English}, urldate = {2022-06-02} } SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT
2022-04-11eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220411:fake:e57b0f2, author = {eSentire Threat Response Unit (TRU)}, title = {{Fake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer}}, date = {2022-04-11}, organization = {eSentire}, url = {https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer}, language = {English}, urldate = {2022-05-24} } Fake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer
Mars Stealer NetSupportManager RAT
2022-04-07Avast DecodedPavel Novák, Jan Rubín
@online{novk:20220407:parrot:9c74f9b, author = {Pavel Novák and Jan Rubín}, title = {{Parrot TDS takes over web servers and threatens millions}}, date = {2022-04-07}, organization = {Avast Decoded}, url = {https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/}, language = {English}, urldate = {2022-04-08} } Parrot TDS takes over web servers and threatens millions
FAKEUPDATES Parrot TDS Parrot TDS WebShell NetSupportManager RAT
2022-04-07Bleeping ComputerBill Toulas
@online{toulas:20220407:malicious:f10fb8e, author = {Bill Toulas}, title = {{Malicious web redirect service infects 16,500 sites to push malware}}, date = {2022-04-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/}, language = {English}, urldate = {2022-04-12} } Malicious web redirect service infects 16,500 sites to push malware
NetSupportManager RAT
2020-11-02SUCURIDenis Sinegubko
@online{sinegubko:20201102:cssjs:e800099, author = {Denis Sinegubko}, title = {{CSS-JS Steganography in Fake Flash Player Update Malware}}, date = {2020-11-02}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html}, language = {English}, urldate = {2020-11-04} } CSS-JS Steganography in Fake Flash Player Update Malware
magecart NetSupportManager RAT
2020-05-22Positive TechnologiesPT ESC Threat Intelligence
@online{intelligence:20200522:operation:6e4f978, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.}}, date = {2020-05-22}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/}, language = {English}, urldate = {2020-11-23} } Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.
NetSupportManager RAT ServHelper
2020-03-19PrevailionPrevailion
@online{prevailion:20200319:curious:082e652, author = {Prevailion}, title = {{The Curious Case of the Criminal Curriculum Vitae}}, date = {2020-03-19}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html}, language = {English}, urldate = {2020-06-30} } The Curious Case of the Criminal Curriculum Vitae
LALALA Stealer NetSupportManager RAT Rekt Loader
2017-09-01Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20170901:eitest:6388761, author = {Brad Duncan}, title = {{EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware}}, date = {2017-09-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/}, language = {English}, urldate = {2019-12-20} } EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware
NetSupportManager RAT
2016-09-30Bleeping ComputerLawrence Abrams
@online{abrams:20160930:hacked:760d56c, author = {Lawrence Abrams}, title = {{Hacked Steam accounts spreading Remote Access Trojan}}, date = {2016-09-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/}, language = {English}, urldate = {2019-12-20} } Hacked Steam accounts spreading Remote Access Trojan
NetSupportManager RAT
2013NetSupport ManagerNetSupport Manager
@online{manager:2013:netsupport:f3fadef, author = {NetSupport Manager}, title = {{NetSupport Manager Website}}, date = {2013}, organization = {NetSupport Manager}, url = {http://www.netsupportmanager.com/index.asp}, language = {English}, urldate = {2020-01-07} } NetSupport Manager Website
NetSupportManager RAT
Yara Rules
[TLP:WHITE] win_netsupportmanager_rat_auto (20230715 | Detects win.netsupportmanager_rat.)
rule win_netsupportmanager_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.netsupportmanager_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb59 8bd6 83ea04 f7da 1bd2 83c104 81e240404000 }
            // n = 7, score = 100
            //   eb59                 | jmp                 0x5b
            //   8bd6                 | mov                 edx, esi
            //   83ea04               | sub                 edx, 4
            //   f7da                 | neg                 edx
            //   1bd2                 | sbb                 edx, edx
            //   83c104               | add                 ecx, 4
            //   81e240404000         | and                 edx, 0x404040

        $sequence_1 = { ff15???????? 50 ff15???????? 56 8b7508 6afc 56 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   6afc                 | push                -4
            //   56                   | push                esi

        $sequence_2 = { ff15???????? 85c0 7417 68???????? e8???????? 6800200000 e8???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7417                 | je                  0x19
            //   68????????           |                     
            //   e8????????           |                     
            //   6800200000           | push                0x2000
            //   e8????????           |                     

        $sequence_3 = { eb07 8b01 ff5010 8bd8 83fbff 750d 8b45e8 }
            // n = 7, score = 100
            //   eb07                 | jmp                 9
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5010               | call                dword ptr [eax + 0x10]
            //   8bd8                 | mov                 ebx, eax
            //   83fbff               | cmp                 ebx, -1
            //   750d                 | jne                 0xf
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]

        $sequence_4 = { eb1f 8b4e10 8b560c 8d45fc 50 8b4608 51 }
            // n = 7, score = 100
            //   eb1f                 | jmp                 0x21
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]
            //   8b560c               | mov                 edx, dword ptr [esi + 0xc]
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   51                   | push                ecx

        $sequence_5 = { f7ea d1fa 8bf2 8bc2 c1ee1f 03c6 f6eb }
            // n = 7, score = 100
            //   f7ea                 | imul                edx
            //   d1fa                 | sar                 edx, 1
            //   8bf2                 | mov                 esi, edx
            //   8bc2                 | mov                 eax, edx
            //   c1ee1f               | shr                 esi, 0x1f
            //   03c6                 | add                 eax, esi
            //   f6eb                 | imul                bl

        $sequence_6 = { e8???????? 56 897e18 e8???????? 83c40c 5f 5e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   56                   | push                esi
            //   897e18               | mov                 dword ptr [esi + 0x18], edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_7 = { e8???????? 8a4d0b 8a550b 6a18 c645fc02 884e58 885659 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8a4d0b               | mov                 cl, byte ptr [ebp + 0xb]
            //   8a550b               | mov                 dl, byte ptr [ebp + 0xb]
            //   6a18                 | push                0x18
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   884e58               | mov                 byte ptr [esi + 0x58], cl
            //   885659               | mov                 byte ptr [esi + 0x59], dl

        $sequence_8 = { 8bec 83ec10 8b450c 53 56 2d00020000 57 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   2d00020000           | sub                 eax, 0x200
            //   57                   | push                edi

        $sequence_9 = { e8???????? 85c0 894510 7550 8b4d1c e8???????? 84c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   894510               | mov                 dword ptr [ebp + 0x10], eax
            //   7550                 | jne                 0x52
            //   8b4d1c               | mov                 ecx, dword ptr [ebp + 0x1c]
            //   e8????????           |                     
            //   84c0                 | test                al, al

    condition:
        7 of them and filesize < 4734976
}
Download all Yara Rules