Cyber Security News

Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in ZIP archives with names like “Purchase request” or “Request for quote.” 

They enriched their phishing emails with authentic-looking documents like passports, tax registrations, and company cards, increasing their credibility and tricking victims into opening malicious attachments. 

The malicious script disguised as a PNG image downloads a decoy document from a remote server to deceive the user into believing it’s a legitimate file while potentially executing harmful actions in the background. 

Decoy document in PNG format

An attacker used a PNG image as a decoy to hide a payload, leveraging Windows 10’s built-in curl and bitsadmin utilities to download and execute a malicious BAT file, ultimately installing the main payload.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

The BAT script downloads and installs modified NetSupport Manager components to the user’s AppData directory, potentially enabling remote access and control of the infected system. 

NetSupport RAT, often disguised as a browser update, infiltrates systems via malicious websites.

Once installed, it adds itself to the startup list and connects to a C&C server (xoomep1[.]com:1935 or xoomep2[.]com:1935) to enable remote control of the infected machine. 

Version A infection chain

The malicious JavaScript script, disguised as a legitimate Next.js file, downloads an intermediate script and then fetches a decoy TXT document and the NetSupport RAT installer, executing the latter to compromise the victim’s system.

By downloading NetSupport RAT components to the `%APPDATA%\EdgeCriticalUpdateService` directory, it executes the installer from a text document and uses the `EdgeCriticalUpdateService` autorun registry key for persistence. 

It disguised as a legitimate procurement request downloads and executes a malicious payload (BLD.exe) after obfuscating itself and the download link. It also downloads a decoy document to mask its malicious intent. 

Fully obfuscated version of the malicious script

A malicious NSIS installer disguised as a legitimate Silverlight update leverages DLL side-loading to execute a Remote Manipulator System (RMS) backdoor, stealing sensitive information and providing remote access to the compromised system.

Remote Management Software (RMS), also known as BurnsRAT, is a remote access tool that leverages RDP Wrapper to enable unauthorized remote access to Windows systems, allowing attackers to control infected devices, steal data, and execute malicious commands.

System information sent by the library

NetSupport RAT version D evolved from B, which uses a new link for the second script and fetches an intermediate PowerShell script to download and unpack the NetSupport RAT archive.

The NetSupport RAT delivery method has evolved, transitioning from external ZIP downloads to embedded archives within the script, whose size increased and the file header comment was altered. 

According to Secure List, a transition was made from text files to PDF documents for the bait files, and the RAT files were split up into two databases. 

The TA569 group launched a sustained campaign, initially using BurnsRAT and later transitioning to NetSupport RAT, delivered via a two-server infrastructure, with the goal being to gain unauthorized access to organizations, potentially leading to data theft, system damage, and ransomware attacks.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

21 hours ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

22 hours ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

22 hours ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

23 hours ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

23 hours ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

24 hours ago