Saturday, June 22, 2024

Konni Group Uses Weaponized Word Documents to Deliver RAT Malware

In the ever-evolving cybersecurity domain, the resurgence of NetSupport RAT, a Remote Access Trojan (RAT), has raised concerns among security professionals. 

This sophisticated malware, initially developed as a legitimate remote administration tool, has been repurposed by malicious actors to infiltrate systems and establish remote control.

NetSupport Manager, the software upon which NetSupport RAT is based, originated as a genuine remote technical support tool three decades ago. 

It provided capabilities for file transfers, support chat, inventory management, and remote access. 

While its initial purpose was legitimate, threat actors have exploited its functionalities for malicious purposes.

Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

In collaboration with the Threat Analysis Unit, the Carbon Black Managed Detection & Response (MDR) team has witnessed a significant increase in NetSupport RAT infections in recent weeks. 

This surge primarily affects Education, Government, and Business Services organizations.

Delivery Mechanisms and Actor Landscape

The distribution of NetSupport RAT involves a variety of tactics, including fraudulent updates, drive-by downloads, exploitation of malware loaders like GhostPulse, and phishing campaigns. 

Unlike some malware exclusively utilized by specific threat actors, NetSupport RAT has been employed by a range of malicious entities, from novice hackers to sophisticated adversaries.

Recent NetSupport RAT attacks typically involve tricking victims into downloading fake browser updates from compromised websites. 

The initial infection process may vary depending on the specific threat actor’s methodology.

One observed infection scenario involves a victim downloading a fake browser update from a compromised website. 

This update hosts a PHP script that displays a seemingly authentic update prompt. 

Upon clicking the download link, an additional JavaScript payload is downloaded onto the endpoint.

Carbon Black’s Detection and Mitigation Strategies

Carbon Black’s MDR team has developed advanced detection and mitigation strategies to combat NetSupport RAT infections. 

These strategies encompass:

  1. Behavioral Analysis: Carbon Black employs behavioral analysis techniques to identify anomalous activities and behaviors associated with NetSupport RAT. This proactive approach allows for the detection of new and evolving threats.
  2. Threat Intelligence Integration: Carbon Black incorporates threat intelligence feeds into its detection algorithms, enabling the recognition of known indicators of compromise associated with NetSupport RAT. This facilitates rapid identification and mitigation of infected systems.
  3. Comprehensive Endpoint Security: Carbon Black provides robust endpoint security features, safeguarding devices at the point of entry. It can block malicious websites and prevent the execution of malicious files, thwarting attempts to download and install NetSupport RAT.
  4. Real-time Monitoring and Response: Carbon Black offers real-time monitoring and response capabilities. It can detect suspicious activities in real-time, allowing security teams to respond promptly to potential NetSupport RAT infections and minimize the damage caused by the malware.
  5. Efficient Incident Response: In the event of a NetSupport RAT infection, Carbon Black facilitates efficient incident response. It provides detailed insights into the attack, enabling security teams to understand the extent of the compromise and take appropriate remediation actions.
  6. Continuous Updates: Carbon Black maintains vigilance by regularly updating its threat intelligence databases and detection algorithms. This ensures that the system can detect new NetSupport RAT variants and other emerging threats effectively.

The resurgence of NetSupport RAT highlights the ever-evolving nature of cybersecurity threats. 

Carbon Black’s comprehensive detection and mitigation strategies and continuous updates empower organizations to safeguard their systems effectively against this and other evolving threats.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles