The year 2023 has marked a concerning increase in the utilization of NetSupport RAT, a tool originally designed for legitimate remote administration but now increasingly adopted by cybercriminals. The sectors primarily affected include education, government, and business services, leading to heightened concern among cybersecurity experts. NetSupport RAT’s journey from a legitimate remote administration tool to a weapon in cybercriminals’ arsenal has been gradual but significant. Its misuse dates back to at least 2016, but recent years have seen a notable escalation in both the frequency and sophistication of attacks utilizing this tool.
VMware Carbon Black’s Managed Detection & Response team, collaborating with their Threat Analysis Unit, has identified more than 15 new NetSupport RAT infections in a short span. These findings align with observations from Trellix and Malwarebytes, emphasizing the RAT’s increasing deployment in cyberattacks. The RAT’s ability to stealthily infiltrate systems and grant remote access to attackers poses a growing threat. The infection methods of NetSupport RAT are diverse and deceptive. Cybercriminals often use compromised websites, masquerading as legitimate update prompts, to trick users into downloading the RAT. This includes tactics like displaying fake Cloudflare DDoS protection pages on compromised WordPress sites. Once deployed, the RAT uses JavaScript-based downloaders like SocGholish to execute remote commands, download critical payloads, and establish control via command-and-control servers. Its capabilities extend to monitoring user behavior, transferring files, altering computer settings, and propagating through networks.
In an in-depth analysis of a January 2023 incident, The DFIR Report highlighted the use of NetSupport RAT in a full domain compromise, showcasing its potential for large-scale network infiltration. Similarly, Nuspire’s Q1 2023 Cyber Threat Report identified NetSupport RAT as a newly active botnet, underscoring its emergence as a significant cyber threat. The increasing prevalence of NetSupport RAT infections is a stark reminder of the evolving and sophisticated nature of cyber threats. The versatility and stealth of NetSupport RAT make it a potent tool for cybercriminals, capable of causing extensive harm to organizations. This calls for enhanced vigilance and the implementation of robust cybersecurity measures, including updated defense mechanisms, employee awareness training, and the deployment of advanced threat detection systems.
The surge in NetSupport RAT infections in 2023 underscores the dynamic landscape of cybersecurity threats and the need for continuous adaptation in defensive strategies. It’s crucial for organizations across various sectors to stay informed and proactive in their cybersecurity efforts to mitigate the risks posed by such sophisticated and versatile cyber threats.
