Konni Group Uses Weaponized Word Documents to Deliver RAT Malware

In the ever-evolving cybersecurity domain, the resurgence of NetSupport RAT, a Remote Access Trojan (RAT), has raised concerns among security professionals. 

This sophisticated malware, initially developed as a legitimate remote administration tool, has been repurposed by malicious actors to infiltrate systems and establish remote control.

NetSupport Manager, the software upon which NetSupport RAT is based, originated as a genuine remote technical support tool three decades ago. 

It provided capabilities for file transfers, support chat, inventory management, and remote access. 

While its initial purpose was legitimate, threat actors have exploited its functionalities for malicious purposes.

Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Register for Free

In collaboration with the Threat Analysis Unit, the Carbon Black Managed Detection & Response (MDR) team has witnessed a significant increase in NetSupport RAT infections in recent weeks. 

This surge primarily affects Education, Government, and Business Services organizations.

Delivery Mechanisms and Actor Landscape

The distribution of NetSupport RAT involves a variety of tactics, including fraudulent updates, drive-by downloads, exploitation of malware loaders like GhostPulse, and phishing campaigns. 

Unlike some malware exclusively utilized by specific threat actors, NetSupport RAT has been employed by a range of malicious entities, from novice hackers to sophisticated adversaries.

Recent NetSupport RAT attacks typically involve tricking victims into downloading fake browser updates from compromised websites. 

The initial infection process may vary depending on the specific threat actor’s methodology.

One observed infection scenario involves a victim downloading a fake browser update from a compromised website. 

This update hosts a PHP script that displays a seemingly authentic update prompt. 

Upon clicking the download link, an additional JavaScript payload is downloaded onto the endpoint.

Carbon Black’s Detection and Mitigation Strategies

Carbon Black’s MDR team has developed advanced detection and mitigation strategies to combat NetSupport RAT infections. 

These strategies encompass:

1. Behavioral Analysis: Carbon Black employs behavioral analysis techniques to identify anomalous activities and behaviors associated with NetSupport RAT. This proactive approach allows for the detection of new and evolving threats.
2. Threat Intelligence Integration: Carbon Black incorporates threat intelligence feeds into its detection algorithms, enabling the recognition of known indicators of compromise associated with NetSupport RAT. This facilitates rapid identification and mitigation of infected systems.
3. Comprehensive Endpoint Security: Carbon Black provides robust endpoint security features, safeguarding devices at the point of entry. It can block malicious websites and prevent the execution of malicious files, thwarting attempts to download and install NetSupport RAT.
4. Real-time Monitoring and Response: Carbon Black offers real-time monitoring and response capabilities. It can detect suspicious activities in real-time, allowing security teams to respond promptly to potential NetSupport RAT infections and minimize the damage caused by the malware.
5. Efficient Incident Response: In the event of a NetSupport RAT infection, Carbon Black facilitates efficient incident response. It provides detailed insights into the attack, enabling security teams to understand the extent of the compromise and take appropriate remediation actions.
6. Continuous Updates: Carbon Black maintains vigilance by regularly updating its threat intelligence databases and detection algorithms. This ensures that the system can detect new NetSupport RAT variants and other emerging threats effectively.

The resurgence of NetSupport RAT highlights the ever-evolving nature of cybersecurity threats. 

Carbon Black’s comprehensive detection and mitigation strategies and continuous updates empower organizations to safeguard their systems effectively against this and other evolving threats.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.