Unveiling the NetSupport Threat: McAfee Researchers Delve into the Malware’s Tactics

NetSupport Malware

Cybersecurity continues to be an ever-evolving battlefield, with the NetSupport malware variants emerging as significant players. These variants, analyzed meticulously by McAfee security researchers, highlight the adaptability and evolving infection techniques of modern malware. Predominantly spreading across the United States and Canada, NetSupport has become a symbol of the sophisticated cyber threats faced today.

NetSupport Malware

At the key of the NetSupport infection chain lies obfuscated JavaScript files, serving as a devious gateway for these malware variants. Upon execution, these JavaScript files engage the Windows Script Host and PowerShell in a carefully orchestrated sequence, leading to the downloading of the NetSupport payload. This remote administration tool, disguised with malicious intent, seizes control over compromised systems through the execution of ‘client32.exe’, a client component of NetSupport.

Variant 1 of NetSupport starts with an intricate JavaScript file, filled with a labyrinth of string literals and variables. This complex script carries out numerous operations, from directory changes to file downloads, setting the stage for the execution of ‘client32.exe’. Remarkably, this variant ensures its persistence by sneaking into the ‘MsEdgeSandbox’ folder under AppData and tweaking Windows Registry for auto-startup.

Variant 2 shares the initial infection chain with its predecessor but distinguishes itself with a unique approach to file manipulation. This variant downloads a text file from the internet, decodes base64-encoded data and crafts a ZIP file containing potentially harmful contents. Its signature move is the establishment of ‘client32.exe’ in a folder labeled ‘D’ under AppData, deviating from the path taken by Variant 1.

The AMSI buffer dumps of these variants shed light on their PowerShell commands and actions. From downloading and extracting files to modifying Windows Registry, these commands are critical to understanding the full spectrum of the NetSupport malware’s capabilities and intentions.

Once the malicious JavaScript file is activated, it triggers a sequence starting with wscript.exe and then PowerShell, with an execution policy set to “Bypass.” This strategic setting allows the scripts to run unrestrained, bypassing policy-related restrictions, a cunning move to facilitate uninterrupted infection.

One of the most alarming aspects of the NetSupport malware is its persistence. Cleverly concealing itself within the user’s profile directories, it becomes a formidable challenge to detect and eradicate. In Variant 1, it creates a “MsEdgeSandbox” folder in AppData, a tactic that exemplifies the malware’s ability to blend into the digital environment.

The NetSupport malware variants represent a new era of cyber threats, characterized by their cunning adaptability, technical sophistication, and geographical reach. As these variants continue to evolve and spread, it is a stark reminder of the continuous need for vigilance and advanced cybersecurity strategies.