Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in ZIP archives with names like “Purchase request” or “Request for quote.” 

They enriched their phishing emails with authentic-looking documents like passports, tax registrations, and company cards, increasing their credibility and tricking victims into opening malicious attachments. 

The malicious script disguised as a PNG image downloads a decoy document from a remote server to deceive the user into believing it’s a legitimate file while potentially executing harmful actions in the background. 

An attacker used a PNG image as a decoy to hide a payload, leveraging Windows 10’s built-in curl and bitsadmin utilities to download and execute a malicious BAT file, ultimately installing the main payload.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

The BAT script downloads and installs modified NetSupport Manager components to the user’s AppData directory, potentially enabling remote access and control of the infected system. 

NetSupport RAT, often disguised as a browser update, infiltrates systems via malicious websites.

Once installed, it adds itself to the startup list and connects to a C&C server (xoomep1[.]com:1935 or xoomep2[.]com:1935) to enable remote control of the infected machine. 

The malicious JavaScript script, disguised as a legitimate Next.js file, downloads an intermediate script and then fetches a decoy TXT document and the NetSupport RAT installer, executing the latter to compromise the victim’s system.

By downloading NetSupport RAT components to the `%APPDATA%\EdgeCriticalUpdateService` directory, it executes the installer from a text document and uses the `EdgeCriticalUpdateService` autorun registry key for persistence. 

It disguised as a legitimate procurement request downloads and executes a malicious payload (BLD.exe) after obfuscating itself and the download link. It also downloads a decoy document to mask its malicious intent. 

A malicious NSIS installer disguised as a legitimate Silverlight update leverages DLL side-loading to execute a Remote Manipulator System (RMS) backdoor, stealing sensitive information and providing remote access to the compromised system.

Remote Management Software (RMS), also known as BurnsRAT, is a remote access tool that leverages RDP Wrapper to enable unauthorized remote access to Windows systems, allowing attackers to control infected devices, steal data, and execute malicious commands.

NetSupport RAT version D evolved from B, which uses a new link for the second script and fetches an intermediate PowerShell script to download and unpack the NetSupport RAT archive.

The NetSupport RAT delivery method has evolved, transitioning from external ZIP downloads to embedded archives within the script, whose size increased and the file header comment was altered. 

According to Secure List, a transition was made from text files to PDF documents for the bait files, and the RAT files were split up into two databases. 

The TA569 group launched a sustained campaign, initially using BurnsRAT and later transitioning to NetSupport RAT, delivered via a two-server infrastructure, with the goal being to gain unauthorized access to organizations, potentially leading to data theft, system damage, and ransomware attacks.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar