SYMBOLCOMMON_NAMEaka. SYNONYMS
win.netsupportmanager_rat (Back to overview)

NetSupportManager RAT

aka: NetSupport
URLhaus    

Enigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty years ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or provide remote computer assistance. However, cyber crooks have hijacked this useful application and misappropriated it to use it in their harmful campaigns. The name of the modified version of the NetSupport Manager has been labeled the NetSupport Manager RAT.

References
2022-05-25Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20220525:socgholish:f876e0e, author = {Jason Reaves and Joshua Platt}, title = {{SocGholish Campaigns and Initial Access Kit}}, date = {2022-05-25}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee}, language = {English}, urldate = {2022-06-02} } SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT
2022-04-11eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220411:fake:e57b0f2, author = {eSentire Threat Response Unit (TRU)}, title = {{Fake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer}}, date = {2022-04-11}, organization = {eSentire}, url = {https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer}, language = {English}, urldate = {2022-05-24} } Fake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer
Mars Stealer NetSupportManager RAT
2022-04-07Avast DecodedPavel Novák, Jan Rubín
@online{novk:20220407:parrot:9c74f9b, author = {Pavel Novák and Jan Rubín}, title = {{Parrot TDS takes over web servers and threatens millions}}, date = {2022-04-07}, organization = {Avast Decoded}, url = {https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/}, language = {English}, urldate = {2022-04-08} } Parrot TDS takes over web servers and threatens millions
FAKEUPDATES Parrot TDS Parrot TDS WebShell NetSupportManager RAT
2022-04-07Bleeping ComputerBill Toulas
@online{toulas:20220407:malicious:f10fb8e, author = {Bill Toulas}, title = {{Malicious web redirect service infects 16,500 sites to push malware}}, date = {2022-04-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/}, language = {English}, urldate = {2022-04-12} } Malicious web redirect service infects 16,500 sites to push malware
NetSupportManager RAT
2020-11-02SUCURIDenis Sinegubko
@online{sinegubko:20201102:cssjs:e800099, author = {Denis Sinegubko}, title = {{CSS-JS Steganography in Fake Flash Player Update Malware}}, date = {2020-11-02}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html}, language = {English}, urldate = {2020-11-04} } CSS-JS Steganography in Fake Flash Player Update Malware
magecart NetSupportManager RAT
2020-05-22Positive TechnologiesPT ESC Threat Intelligence
@online{intelligence:20200522:operation:6e4f978, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.}}, date = {2020-05-22}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/}, language = {English}, urldate = {2020-11-23} } Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.
NetSupportManager RAT ServHelper
2020-03-19PrevailionPrevailion
@online{prevailion:20200319:curious:082e652, author = {Prevailion}, title = {{The Curious Case of the Criminal Curriculum Vitae}}, date = {2020-03-19}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html}, language = {English}, urldate = {2020-06-30} } The Curious Case of the Criminal Curriculum Vitae
LALALA Stealer NetSupportManager RAT Rekt Loader
2017-09-01Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20170901:eitest:6388761, author = {Brad Duncan}, title = {{EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware}}, date = {2017-09-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/}, language = {English}, urldate = {2019-12-20} } EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware
NetSupportManager RAT
2016-09-30Bleeping ComputerLawrence Abrams
@online{abrams:20160930:hacked:760d56c, author = {Lawrence Abrams}, title = {{Hacked Steam accounts spreading Remote Access Trojan}}, date = {2016-09-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/}, language = {English}, urldate = {2019-12-20} } Hacked Steam accounts spreading Remote Access Trojan
NetSupportManager RAT
2013NetSupport ManagerNetSupport Manager
@online{manager:2013:netsupport:f3fadef, author = {NetSupport Manager}, title = {{NetSupport Manager Website}}, date = {2013}, organization = {NetSupport Manager}, url = {http://www.netsupportmanager.com/index.asp}, language = {English}, urldate = {2020-01-07} } NetSupport Manager Website
NetSupportManager RAT
Yara Rules
[TLP:WHITE] win_netsupportmanager_rat_auto (20220516 | Detects win.netsupportmanager_rat.)
rule win_netsupportmanager_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.netsupportmanager_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff521c 8b10 8d4d94 51 8bc8 ff5244 8b10 }
            // n = 7, score = 100
            //   ff521c               | call                dword ptr [edx + 0x1c]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8d4d94               | lea                 ecx, [ebp - 0x6c]
            //   51                   | push                ecx
            //   8bc8                 | mov                 ecx, eax
            //   ff5244               | call                dword ptr [edx + 0x44]
            //   8b10                 | mov                 edx, dword ptr [eax]

        $sequence_1 = { e8???????? 8bf0 6a5c 56 e8???????? 83c418 85c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   6a5c                 | push                0x5c
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   85c0                 | test                eax, eax

        $sequence_2 = { ff5210 8d4de0 50 8d55d0 51 52 c645fc12 }
            // n = 7, score = 100
            //   ff5210               | call                dword ptr [edx + 0x10]
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   50                   | push                eax
            //   8d55d0               | lea                 edx, [ebp - 0x30]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   c645fc12             | mov                 byte ptr [ebp - 4], 0x12

        $sequence_3 = { f7c600400000 7409 c6450ae0 b901000000 f7c600800000 7409 8b5510 }
            // n = 7, score = 100
            //   f7c600400000         | test                esi, 0x4000
            //   7409                 | je                  0xb
            //   c6450ae0             | mov                 byte ptr [ebp + 0xa], 0xe0
            //   b901000000           | mov                 ecx, 1
            //   f7c600800000         | test                esi, 0x8000
            //   7409                 | je                  0xb
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]

        $sequence_4 = { e8???????? 8b5628 52 e8???????? 83c408 33c0 5e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b5628               | mov                 edx, dword ptr [esi + 0x28]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi

        $sequence_5 = { e8???????? 8b4d0c 85c9 740a 33d2 83f805 0f9cc2 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   85c9                 | test                ecx, ecx
            //   740a                 | je                  0xc
            //   33d2                 | xor                 edx, edx
            //   83f805               | cmp                 eax, 5
            //   0f9cc2               | setl                dl

        $sequence_6 = { ebc1 6a78 ff15???????? 8b750c 895de8 8b45ac 885dfc }
            // n = 7, score = 100
            //   ebc1                 | jmp                 0xffffffc3
            //   6a78                 | push                0x78
            //   ff15????????         |                     
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx
            //   8b45ac               | mov                 eax, dword ptr [ebp - 0x54]
            //   885dfc               | mov                 byte ptr [ebp - 4], bl

        $sequence_7 = { c1f803 f66d10 02c3 884432fd 8a59ff 33c0 8bd3 }
            // n = 7, score = 100
            //   c1f803               | sar                 eax, 3
            //   f66d10               | imul                byte ptr [ebp + 0x10]
            //   02c3                 | add                 al, bl
            //   884432fd             | mov                 byte ptr [edx + esi - 3], al
            //   8a59ff               | mov                 bl, byte ptr [ecx - 1]
            //   33c0                 | xor                 eax, eax
            //   8bd3                 | mov                 edx, ebx

        $sequence_8 = { ff15???????? 8b4668 8d55d4 6a02 52 50 6a00 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8b4668               | mov                 eax, dword ptr [esi + 0x68]
            //   8d55d4               | lea                 edx, [ebp - 0x2c]
            //   6a02                 | push                2
            //   52                   | push                edx
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_9 = { e8???????? 85c0 894510 7550 8b4d1c e8???????? 84c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   894510               | mov                 dword ptr [ebp + 0x10], eax
            //   7550                 | jne                 0x52
            //   8b4d1c               | mov                 ecx, dword ptr [ebp + 0x1c]
            //   e8????????           |                     
            //   84c0                 | test                al, al

    condition:
        7 of them and filesize < 4734976
}
Download all Yara Rules