Researchers pointed out that this malware campaign uses various ‘Social Engineering’ themes that imitate browser and program updates which include Chrome/Firefox, Flash Player, and Microsoft Teams.
The threat actors allegedly lured users to a Chrome update using a drive-by-download mechanism. Attackers host a malicious website (the site displays content to lure end-users with critical browser updates) implements drive-by-download mechanism to download an archive file that contains malware.
NetSupport Manager is a commercially available RAT (Remote Administration Tool) used for legitimate reasons that gives administrators remote access to user’s computers. But TAs utilizes NetSupport Manager as their primary tool to target victims using remote access.
NetSupport RAT malware package dropped under the %AppData% directory
It is always worthwhile to confirm whether the downloaded content originated from a legitimate source and not from any suspicious sites.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Avoid downloading files from unknown websites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Block URLs that could spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.