Thursday, January 23, 2025
HomeCyber Security NewsWeaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

Published on

SIEM as a Service

Follow Us on Google News

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in ZIP archives with names like “Purchase request” or “Request for quote.” 

They enriched their phishing emails with authentic-looking documents like passports, tax registrations, and company cards, increasing their credibility and tricking victims into opening malicious attachments. 

The malicious script disguised as a PNG image downloads a decoy document from a remote server to deceive the user into believing it’s a legitimate file while potentially executing harmful actions in the background. 

Decoy document in PNG format

An attacker used a PNG image as a decoy to hide a payload, leveraging Windows 10’s built-in curl and bitsadmin utilities to download and execute a malicious BAT file, ultimately installing the main payload.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

The BAT script downloads and installs modified NetSupport Manager components to the user’s AppData directory, potentially enabling remote access and control of the infected system. 

NetSupport RAT, often disguised as a browser update, infiltrates systems via malicious websites.

Once installed, it adds itself to the startup list and connects to a C&C server (xoomep1[.]com:1935 or xoomep2[.]com:1935) to enable remote control of the infected machine. 

Version A infection chain

The malicious JavaScript script, disguised as a legitimate Next.js file, downloads an intermediate script and then fetches a decoy TXT document and the NetSupport RAT installer, executing the latter to compromise the victim’s system.

By downloading NetSupport RAT components to the `%APPDATA%\EdgeCriticalUpdateService` directory, it executes the installer from a text document and uses the `EdgeCriticalUpdateService` autorun registry key for persistence. 

It disguised as a legitimate procurement request downloads and executes a malicious payload (BLD.exe) after obfuscating itself and the download link. It also downloads a decoy document to mask its malicious intent. 

Fully obfuscated version of the malicious script

A malicious NSIS installer disguised as a legitimate Silverlight update leverages DLL side-loading to execute a Remote Manipulator System (RMS) backdoor, stealing sensitive information and providing remote access to the compromised system.

Remote Management Software (RMS), also known as BurnsRAT, is a remote access tool that leverages RDP Wrapper to enable unauthorized remote access to Windows systems, allowing attackers to control infected devices, steal data, and execute malicious commands.

System information sent by the library

NetSupport RAT version D evolved from B, which uses a new link for the second script and fetches an intermediate PowerShell script to download and unpack the NetSupport RAT archive.

The NetSupport RAT delivery method has evolved, transitioning from external ZIP downloads to embedded archives within the script, whose size increased and the file header comment was altered. 

According to Secure List, a transition was made from text files to PDF documents for the bait files, and the RAT files were split up into two databases. 

The TA569 group launched a sustained campaign, initially using BurnsRAT and later transitioning to NetSupport RAT, delivered via a two-server infrastructure, with the goal being to gain unauthorized access to organizations, potentially leading to data theft, system damage, and ransomware attacks.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...