NetSupport malware has been a persistent threat that continues to evolve and adapt its infection techniques. This technical analysis provides insights into the infection chain, technical intricacies, and IOCs (Indicators of Compromise) of various NetSupport malware variants. The heatmap below depicts the current prevalence of NetSupport across the United States and Canada, highlighting its wide geographical reach.
Recently, McAfee Labs has identified a new variation of NetSupport malware that is distributed through JavaScript, indicating their evolving tactics to evade detection. The infection chain starts with obfuscated JavaScript files, which serve as the initial point of entry for the malware. Upon execution, it invokes the Windows Script Host (wscript.exe) and then PowerShell to download the NetSupport payload, a remote administration tool with malicious intent.
The first variant of this malware starts with a long and intricate JS file, utilizing PowerShell commands to execute the ‘client32.exe’ binary and establish control over the compromised system. Attackers leverage obfuscated JavaScript files to bypass security mechanisms and initiate the delivery of malicious payloads.
The second variant shares a similar infection chain as the first but has a distinct approach to manipulating files and content. It creates a ZIP file with potentially malicious content and establishes the ‘client32.exe’ in a different folder under the AppData directory.
The malware is known for its persistence and attempts to hide within the user’s profile directories, making it challenging to remove. It creates different directories and installation paths for the ‘client32.exe’ file, ensuring its presence and control over the compromised system.
Overall, the NetSupport malware variants exhibit a high degree of complexity and adaptability, making it essential for organizations to remain vigilant and implement robust security measures to defend against these evolving threats.