![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture1-1.png\")
<\/center><\/p>\nFigure 1 : NetSupport Heat Map<\/p>\n
McAfee Labs recently identified a new variation of NetSupport malware, which was distributed through JavaScript, highlighting the evolving tactics employed by cybercriminals.<\/p>\n
Infection Chain<\/strong><\/p>\n Figure 2 : Infection Chain<\/p>\n This Variant starts with a very long JS file. It follows an intricate infection chain, utilizing PowerShell commands. Key steps include changing the directory to the user’s AppData, setting variables, downloading files, and eventually executing ‘client32.exe’. This executable establishes control over the compromised system and registers for auto-startup through Windows Registry, following which the ‘client32.exe’ binary is placed in the ‘MsEdgeSandbox’<\/em> folder under AppData, providing persistence.<\/p>\n The JS code looks like as shown in the picture below. Attackers leverage obfuscated JavaScript files as the starting point of an infection chain. These files are designed to bypass security mechanisms and initiate the delivery of malicious payloads.<\/p>\n Figure 3: Encoded Java Script File<\/p>\n It contains a long list of string literals, each consisting of random characters and sequences of letters. These strings are typically used for various purposes in the code, such as constructing URLs, setting values for variables, or possibly for other purposes. The code defines several variables (hy, hY, hE, hi) and a function named ‘y’.<\/p>\n Figure 4 : Encoded Java Script File<\/p>\n Figure 5 : Encoded Java Script File<\/p>\n Figure 6 : Encoded Java Script File<\/p>\n The script shown in the AMSI buffer dumps in Figure 7, begins by changing the directory to the user’s AppData folder. It then sets up variables and proceeds to download and execute files. If certain commands are unavailable, it uses ‘bitsadmin’ for file downloads. The script ensures persistence by altering directory attributes, launching ‘client32.exe,’ and adding a Windows registry entry for automatic execution.<\/p>\n Figure 7 : AMSI Dump<\/p>\n Figure 8 : Code block<\/p>\n \u00a0 \u00a0 Figure 9 : Code block<\/p>\n Figure 10 : Code block<\/p>\n Figure 11 : Code block<\/p>\n Variant 2 of this malware shares a similar infection chain as Variant 1. Like Variant 1, it starts with obfuscated but different JavaScript files and subsequently invokes PowerShell. However, what sets Variant 2 apart is its distinct approach to manipulating files and content. It downloads a text file from a website, decodes base64-encoded data, and creates a ZIP file with potentially malicious content. Variant 2 differs significantly when it comes to file manipulation. Instead of placing the ‘client32.exe’ in the ‘MsEdgeSandbox’ folder like Variant 1, it follows an alternative path. In this case, it establishes the ‘client32.exe’ in a folder labeled ‘D’<\/em> under AppData. This distinct approach to file placement sets it apart from Variant 1, despite the shared initial infection chain.<\/p>\n The JS file as shown in Figure 12, includes two variables, ‘F4f’ and ‘EQGMUD.’ ‘F4f’ is set to a specific value, 140743580. ‘EQGMUD’ is a bit more complex; it’s a string formed by converting numerical values into characters. These values are derived by subtracting ‘F4f’ (140743580) from them. Finally, the ‘eval’ function is used to run the code stored in ‘EQGMUD’ as JavaScript, essentially executing this string as a script.<\/p>\n Figure 12 : Encoded Java Script File<\/p>\n The AMSI buffer dumps as shown in Figure 13, contains PowerShell commands that perform several actions, including downloading a file from the internet, extracting it, and making changes to the windows registry.<\/p>\n Figure 13 : AMSI Dump<\/p>\n Figure 15 : Process Tree<\/p>\n Once the JavaScript file is executed, it launches wscript.exe and then launches PowerShell with the following command.<\/p>\n powershell.exe -ExecutionPolicy Bypass -V<\/em><\/p>\n Figure 16 : PowerShell Command<\/p>\n This way, PowerShell with the execution policy set to \u201cBypass\u201d, which means that PowerShell will not enforce any execution restrictions. This allows scripts to run without any policy-related restrictions.<\/p>\n This malware is known for its persistence and attempts to hide within the user’s profile directories, which makes it challenging to remove.<\/p>\n It creates a \u201cMsEdgeSandbox<\/em>\u201d folder in AppData in the first variant and downloads the following files in that folder.<\/p>\n Figure 17 : Created Directory<\/p>\n Various installation paths were seen in different variants.<\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple2q6lxy6v\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple2q6lxy6v\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple2abm1oct\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple2w35hfwm7\\client32.exe<\/em><\/p>\n C:\\Users\\user>\\AppData\\Roaming\\Apple2abm1oct\\client32.exe<\/em><\/p>\n c:\\users\\user\\appdata\\roaming\\apple2u8g65jb\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple22w3r7sx\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple2hnrvoo\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple2kvu25\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple25aoyh\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple2i262cp\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple2hnrvoo\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple2g057yi\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple22fu82\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple25aoyh\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple2kvu25\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\Apple22fu82\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\ Apple2_5frlv9\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\ Apple2_y8yyxp\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\ Apple2_v8qm4f\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\ Apple2_y44ztr\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\ Apple2_joafqo\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\ Apple2_ncfy5n\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\ Apple2_v8qm4f\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\ Apple2_y44ztr\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\ Apple2_y8yyxp\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\ Apple2_ncfy5n\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\ Apple2_joafqo\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\ Apple2_5frlv9\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\ Apple2_z8yde3x\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\ Apple2_z8yde3x\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Local\\Temp\\o2pi4q4o.i1y\\client32.exe<\/em><\/p>\n c:\\users\\user \\appdata\\roaming\\d\\client32.exe<\/em><\/p>\n C:\\Users\\user\\AppData\\Roaming\\D\\client32.exe<\/em><\/p>\n client32<\/em><\/p>\n c:\\users\\user\\appdata\\roaming\\d\\client32.exe<\/em><\/p>\n C:\\Program Files (x86)\\NetSupport\\NetSupport DNA\\Client\\dnarc.exe<\/em><\/p>\n c:\\program files (x86)\\netsupport\\netsupport dna\\client\\dnarc.exe<\/em><\/p>\n <\/p>\n Figure 18 : File Signature<\/p>\n Client32.ini<\/strong>: This file contains the configuration settings for NetSupport Manager. It governs how NetSupport Manager interacts with managed hosts and allows operators to configure various options.<\/p>\n NSM.LIC<\/strong>: The LIC file contains license details related to the NetSupport Manager installation, which are essential for proper licensing and software activation.<\/p>\n Figure 19 : INI File<\/p>\n jokosampbulid1.com:1412<\/em><\/p>\n Domain: jokosampbulid1.com<\/em><\/p>\n Port: 1412<\/em><\/p>\n C2<\/strong><\/p>\n Figure 20 : C2 Communication<\/p>\n The analysis of NetSupport malware variants has revealed a persistent and continually evolving threat landscape. These variants employ intricate infection chains and technical intricacies to accomplish their malicious goals. Our investigation has provided insights into their modus operandi, including downloading, and executing files through obfuscated JavaScript code and altering the Windows Registry for persistence.<\/p>\n At McAfee Labs, our commitment is unwavering. We strive to provide robust and effective threat defense mechanisms to safeguard our users from a wide array of threats, including NetSupport and its various iterations. Our security software harnesses the power of signature-based, machine learning, threat intelligence, and behavior-based detection techniques, all working together to identify and thwart threats effectively. In an ever-changing digital landscape, our focus remains on keeping you safe and secure from emerging threats.<\/p>\n <\/p>\n 73e0975c94ebcdec46fd23664ccecf8953dd70eea1f4e5813e7f8cd8d2dbc4f9<\/td>\n<\/tr>\n <\/p>\n","protected":false},"excerpt":{"rendered":" NetSupport malware variants have been a persistent threat, demonstrating adaptability and evolving infection techniques. In this technical analysis, we delve…<\/p>\n","protected":false},"author":695,"featured_media":177476,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-177152","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture2-2.png\")
<\/center><\/p>\nTechnical Analysis<\/strong><\/h2>\n
Variant 1: <\/strong><\/h3>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture3.png\")
<\/center><\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture4.png\")
<\/center><\/p>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture5.png\")
<\/center><\/li>\n<\/ul>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture6.png\")
<\/center><\/p>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture7.png\")
<\/center><\/p>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture8.png\")
<\/center><\/p>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture9.png\")
<\/center><\/p>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture10.png\")
<\/center><\/p>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture11.png\")
<\/center><\/p>\nVariant 2: <\/strong><\/h3>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture12.png\")
<\/center><\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture13.png\")
<\/center><\/p>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture14.png\")
<\/center><\/p>\n
\n<\/strong>Figure 14 : Directory Created<\/p>\n\n
Process Tree<\/strong><\/h3>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture15.png\")
<\/center><\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture16.png\")
<\/center><\/p>\nPersistence<\/strong><\/h3>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture17.png\")
<\/center><\/p>\nPayload Overview<\/strong><\/h3>\n
\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture18.png\")
<\/center><\/p>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture19.png\")
<\/center><\/p>\n\n
\n
\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture20.png\")
<\/center><\/p>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/Picture21.png\")
\nFigure 21 : HXXP Stream<\/p>\nConclusion:\u00a0<\/strong><\/h3>\n
IOCs<\/strong><\/h3>\n
Variant 1:<\/strong><\/h3>\n
\n\n
\n Type<\/strong><\/td>\n SHA256<\/strong><\/td>\n<\/tr>\n<\/thead>\n\n \n JS<\/td>\n 5ffb5e9942492f15460e58660dd121b31d4065a133a6f8461554ea8af5c407aa<\/td>\n<\/tr>\n \n EXE<\/td>\n 89F0C8F170FE9EA28B1056517160E92E2D7D4E8AA81F4ED696932230413A6CE1<\/td>\n<\/tr>\n \n URL<\/td>\n hxxp:\/\/45[.]15[.]158[.]212\/fakeurl.htm<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n Variant 2:<\/strong><\/h3>\n
\n\n
\n Type<\/strong><\/td>\n SHA256<\/strong><\/td>\n<\/tr>\n<\/thead>\n\n \n JS<\/td>\n 48bc766326068e078cf258dea70d49dcce265e4e6dbf18f1a0ce28d310f6a89a<\/p>\n \n URL<\/td>\n hxxps:\/\/svirtual[.]sanviatorperu[.]edu[.]pe\/readme.txt<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n