Risk hunters are alerting to a brand new marketing campaign that employs misleading web sites to trick unsuspecting customers into executing malicious PowerShell scripts on their machines and infect them with the NetSupport RAT malware.
The DomainTools Investigations (DTI) staff mentioned it recognized “malicious multi-stage downloader Powershell scripts” hosted on lure web sites that masquerade as Gitcode and DocuSign.
“These websites try to deceive customers into copying and operating an preliminary PowerShell script on their Home windows Run command,” the corporate mentioned in a technical report shared with The Hacker Information.
“Upon doing so, the powershell script downloads one other downloader script and executes on the system, which in flip retrieves extra payloads and executes them finally putting in NetSupport RAT on the contaminated machines.”
It is believed that these counterfeit websites could also be propagated through social engineering makes an attempt over e-mail and/or social media platforms.
The PowerShell scripts current hosted on the pretend Gitcode websites are designed to obtain a collection of intermediate PowerShell scripts from an exterior server (“tradingviewtool[.]com”) which might be utilized in succession to launch NetSupport RAT on sufferer machines.
DomainTools mentioned it additionally recognized a number of web sites spoofing Docusign (e.g., docusign.sa[.]com) to ship the identical distant entry trojan however with a twist: Utilizing ClickFix-style CAPTCHA verifications to dupe victims into operating the malicious PowerShell script.
Just like the not too long ago documented assault chains delivering the EDDIESTEALER infostealer, customers who land on the pages are requested to show they aren’t a robotic by finishing the test.
Triggering the CAPTCHA verification causes an obfuscated PowerShell command to be clandestinely copied to the consumer’s clipboard — a way known as clipboard poisoning — after which they’re instructed to launch the Home windows Run dialog (“Win + R”), paste (“CTRL + V”), and press Enter, inflicting the script to be executed within the course of.
The PowerShell script works by downloading a persistence script (“wbdims.exe”) from GitHub to make sure that the payload is launched robotically when the consumer logs in to the system.
“Whereas this payload was now not accessible in the course of the time of investigation, the expectation is that it checks in with the supply web site through ‘docusign.sa[.]com/verification/c.php,'” DomainTools mentioned. “Upon doing so, it triggers a refresh within the browser for the web page to show the content material of ‘docusign.sa[.]com/verification/s.php?an=1.'”
This ends in the supply of a second-stage PowerShell script, which then downloads and executes a third-stage ZIP payload from the identical server by setting the URL parameter “an” to “2.” The script proceeds to unpack the archive and run an executable named “jp2launcher.exe” current inside it, in the end resulting in the deployment of NetSupport RAT.
“The a number of phases of scripts downloading and operating scripts that obtain and run but extra scripts is probably going an try to evade detection and be extra resilient to safety investigations and takedowns,” the corporate mentioned.
It is at present not clear who’s behind the marketing campaign, however DomainTools identified that it recognized related supply URL, area naming, and registration patterns in reference to a SocGholish (aka FakeUpdates) marketing campaign detected in October 2024.
“Notably, the strategies concerned are commonplace and NetSupport Supervisor is a reliable administration instrument identified to be leveraged as a RAT by a number of menace teams akin to FIN7, Scarlet Goldfinch, Storm-0408, and others.”
