Concerned about VPN vulnerabilities? Learn how you can benefit from our VPN migration offer including 60 days free service.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

NetSupport RAT installed via fake update notices

image
GAYATHRI ANBALAGAN
November 15, 2019 - 6 min read

Recently, the Zscaler ThreatLabZ team came across two campaigns designed to trick users into downloading a Remote Access Trojan (RAT) via a fake Flash Player update and a font update. These campaigns are designed to inject malicious redirector scripts into compromised content management system (CMS) sites. These sites use popular programs, such as WordPress, Joomla, Drupal, and others, and are being attacked as a result of vulnerabilities introduced by plugins, themes, and extensions, something we’ve discussed previously on this blog. The two malware campaigns we examine in this blog deliver a payload designed to steal sensitive information.

The following figure depicts the hits on the various compromised sites. Overall, Zscaler has blocked nearly 40,000 of these attempts in the past three months.

Image

Figure 1: The number of hits on the various types of compromised CMS sites: WordPress (green), Joomla (gold), Drupal (blue), and other CMS sites (orange)



Method 1: Fake Flash Player update campaign

In this attack, cybercriminals hacked WordPress sites using the theme plugin vulnerability and injected two malicious redirect scripts in the compromised site. By using either one of the scripts, the attackers will deploy malware at the user’s end. The injected script will redirect to the malware site and download the fake update template script to show a fake Flash Player update alert to the user over the compromised site.
Image

Figure 2: A compromised WordPress site with the fake Flash Player update page
 

The following figure shows the source code of the compromised website with the injected scripts.
Image

Figure 3: The injected redirector scripts in a compromised CMS site
 

The first injected script will direct the user to click.clickanalytics208[.]com to download the fake update template. If it fails to meet the attacker's checkpoints, such as geolocation and network settings, then it will execute the next injected script.
Image

Figure 4: The first injected malicious script redirects to the click.clickanalytics208[.]com site
 

The second injected script will redirect to the chrom-update[.]online site and will download the fake update template script from the malicious site.
Image

Figure 5: The second injected malicious script redirects to the chrom-update[.]online site
 

The attacker will send the template.js file as a layer of the compromised site with a fake update page. The fake update page template will be displayed based on the particular variable’s value, also called a “banner.”
Image

Figure 6: The default template.js code [banner value = 1: browser update; 2: font; 3: Flash]
 

The fake template page will display an alert to try to trick the user into starting the update. Once the user clicks the "Update" button, the script downloads the malicious HTA file from the specified URL. 
Image

Figure 7: A fake Flash Player update page with the link to download malicious HTA file
 

If the user clicks the "Later" button, the redirect still occurs, taking the user to the same page to download the malicious HTA file. The following figure depicts the source code of the template.js with the link to download the malicious HTA file with the banner value 3.
Image

Figure 8: The source code of the template.js script from the redirection URL (chrome-update[.]online)
 

Once the user runs the HTA file, it will also run the PowerShell application using the command prompt and download the RAT payload from the specified URL.
Image

Figure 9: The source code of the downloaded malicious HTA file
 

Image

Figure 10: The obfuscated content responsible for the malware download
 

Image

Figure 11: The deobfuscated code showing the download link
 

Image

Figure 12: Step 1 of the malware payload installation process
 

Image

Figure 13: Step 2 of the malware payload installation process
 

Image

Figure 14: The NetSupport RAT malware running as a client-side application
 

Finally, the installed RAT malware will send the victim's information in an encrypted format to the attacker’s site (hxxp://179.43.146[.]90/fakeurl.htm) to enable remote access of the victim’s machine, as shown in Figure 15 below.

Image

Figure 15: The captured user data is transferred to the attacker’s site in an encrypted format

Image

Figure 16: The overall traffic of the fake Flash Player update malware campaign
 

The attackers were also tracking the visitor count, as shown in Figure 17 below. So far, 113,000 unique users were affected by this malware attack.
Image

Figure 17: The affected user count
 

Method 2: Fake font update campaign

In this attack, the cybercriminals will directly inject the fake update template script by exploiting the legitimate site to evade detection. As mentioned earlier, the template script logic will identify which browser is being used.

While accessing the compromised site via Chrome, the user will receive an alert that the “PT Sans” font wasn’t found.
 

Image

Figure 18: The compromised site with a fake font update page (Chrome)
 

The same site was accessed via Firefox and shows the same alert to the user in the Firefox template.

Image

Figure 19: A compromised site with a fake font update page (Firefox)
 

The following image shows the source code of the compromised site with the injected template script.
 

Image

Figure 20: The template.js is injected directly into the compromised site
 

The source code of the template.js script shows a banner value “2” and has a link (sreex[.]info/update.exe) to download the malware payload.
Image

Figure 21: The source code of the template.js script with the malware download link
 

Image

Figure 22: After clicking the update button, the malware payload will be downloaded (via update.exe)
 

The following activities were observed while executing the downloaded Trojan.

Image

Figure 23: The program created a process “gdsun.exe”  from the malware payload (a self-copy of the payload)
 

Image

Figure 24: The malware creates a copy of the payload in the %ProgramData%/<randomfolder_name> folder

 

Image

Figure 25: It also creates a startup registry entry for the dropped malware
 

It will post the following collected user data to (clickies(.)site/CC/index(.)php), which is operated by the attackers.
Image

Figure 26: Post-infection callback traffic
 

Image

Figure 27: The overall traffic of the fake font update campaign
 

Conclusion

In today's digital world, a company's website is its most valuable asset. Therefore, it is critically important for companies to protect this public face from an attack that could put your business, employees, and your customers at risk. Zscaler has blocked more than 40,000 malicious attacks related to this campaign in the past three months.
Image

Figure 28: The Zscaler Risk Analyzer score for the malware payload download URL
 

IOCs

URLs:

click.clickanalytics208(.)com

chrom-update(.)online

asasasqwqq(.)xyz

bitbucket(.)org/execuseme1/1312/downloads/download.hta

xyxyxyxyxy(.)xyz/wwwwqwe/11223344.exe

179(.)43(.)146(.)90/fakeurl(.)htm

sygicstyle(.)xyz

sreex(.)info/update(.)exe

clickies(.)site/CC/index(.)php
 

Malware payload:

5ad69da64dacdf87c5bdea12a20ca8fd4d34e6a16c37dfbb9a2af8df79901504(download.hta)

9c69a1d81133bc9d87f28856245fbd95bd0853a3cfd92dc3ed485b395e5f1ba0(11223344.exe)

ea137c0079624de8d2f8b174d44f90faa58c4eda558f7d5db0efa742f36c2cdf(update.exe)
 

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.