NetSupport RAT: Fake Browser Update Infects Systems with StealC Malware

Cybercriminals continuously evolve their methods to exploit legitimate tools for malicious purposes. They have repurposed NetSupport Manager, originally designed for remote system management, into a Remote Access Trojan (RAT). Security researchers recently detected a new infection chain called #SmartApeSG, which delivers NetSupport RAT and StealC malware through fake browser updates.

Victims first visit a compromised website, where a malicious script injects itself into the page. The infection unfolds as follows:

1. Attackers inject a JavaScript payload into cinaweine[.]shop/work/original.js.

2. The fake update page at cinaweine[.]shop/work/index.php tricks users into downloading malware.

3. The victim unknowingly downloads the payload from cinaweine[.]shop/work/file.php.

4. The ZIP archive 333.zip is delivered via verifiedtasks[.]com/333.zip.

5. The infected system connects to 194[.]180.191.229:443, allowing attackers remote control.

The downloaded ZIP archive (333.zip) contains NetSupport RAT, enabling attackers to fully control the victim's device, exfiltrate data, and deploy additional malware like StealC.

Originally developed for IT support, NetSupport Manager has become a favorite tool among cybercriminals. Previous campaigns have used it through COVID-19 phishing emails, drive-by downloads, and malware loaders like GhostPulse. In this latest attack, cybercriminals trick victims using fake browser update pop-ups, a tactic also used by the TA569 group, known for spreading SocGholish malware.

After infection, the attack runs PowerShell to execute malicious commands, download additional payloads, and establish persistence by modifying the Windows registry:

• The malware achieves registry persistence at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIVXX.

• It executes processes using powershell.exe -enc [Base64 Payload].

• The archive p.zip extracts itself to \appdata\roaming\divx-429\.

Indicators of Compromise (IOCs)

Hashes

• p.zip - c5c974b3315602ffaab9066aeaac3a55510db469b483cb85f6c591e948d16cfe

• update_browser_10.6336.js - 46bb795f28ef33412b83542c88ef17d2a2a207ad3a927ecb4678b4ac9c5a05a5

• client32.exe - 213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

C2 Servers and Domains

• kgscrew[.]com

• gamefllix[.]com/111.php?9279

• sdjfnvnbbz[.]pw:443

• 5.252.177[.]111

Organizations can protect themselves against this malware through several measures:

• Deploy Endpoint Detection & Response (EDR): Solutions like Carbon Black detect suspicious behaviors linked to NetSupport RAT.

• Monitor for Behavioral Anomalies: Unexpected PowerShell executions and registry changes signal compromise.

• Block Known Threats: Threat intelligence feeds help block IOCs and C2 domains tied to this attack.

• Educate Users: Employees must recognize phishing tactics and fake update scams.

• Use Network Segmentation: Restricting lateral movement helps isolate infected systems.

NetSupport RAT remains a persistent threat due to its legitimate origins and adaptability. The #SmartApeSG infection chain demonstrates how attackers exploit software update trust to infiltrate networks. With real-time monitoring, advanced detection, and proactive threat hunting, organizations can mitigate this evolving cyber risk.