Usage of fake browser update is the new technique to attack the other devices.
For such more updates, follow @Seninjaz_tech
#cybersecurity #NetSupportrat #trojan #security #cybercrime #weekulyupdates #secninjaztechnologies
Observed #NetSupportRAT
➡️js Browser_update16.0.5836.js->DLs and exec 11.bat from magydostravel[.]com
➡️11.bat->DLs lolo.7z,7zip,22.bat from mangoairsoft[.]com
➡️lolo.7z->NetSupportRAT-> C2: 94.158.247[.]23:5050
➡️22.bat->persistence regkey->netsupporRAT
I am naming this #RogueRaticate campaign that leverages URL shortcuts to drop #NetSupportRAT 🐀
1/
➡️ The user is getting infected via a drive-by download with the fake update screen (similar to SocGholish behavior). The initial payload is hosted on compromised WordPress
1/ #SocGholish #FakeUpdates 👻
Similar to the previous infection x.com/anfam17/status…
Download URL: publicccescpolace[.]com
NetSupportRAT C2: 94.158.244[.]118:1203
Observed #netsupportrat
➡️Compressed gzip file containing a javascript called date_browser_176436.js
➡️JS->writes a compressed zip named 'Update - 920240108\.zip' file containing 3 javascript files->JS->DLs VBS from https[:]//choosetotruck[.]com/cache/letter.php->loads PS
#SOCGholish observed
➡️FakeBrowserUpdate downloads and runs on system.
➡️Implant of NetSupportRAT
➡️NetSupportRAT established connections: noinmsyvhruhjbi4hs[.]cn, gkdkr[.]icu
Beware: FIN7 hacker group's latest tactic involves using malicious Google Ads to distribute NetSupport RAT.
Stay vigilant and ensure robust cybersecurity measures!
#FIN7 #CyberSecurity #NetSupportRAT
1/ #socgholish deploying #NetSupportRAT at the first stage. The threat actor(s) deployed a PowerShell script via the NetSupport session after 2 days. Thanks dr4k0nia for a reversing session, she found the next stage to be #asyncrat 🐀
Protect your organization from phishing with NetSupport RAT, cloud platform abuse for undetectable URLs, and hackers targeting Windows NTLM hashes. Get our comprehensive guide now - wati.com/guide-to-prote…
#PhishingEmails #NetSupportRAT #CloudSecurity #WATICybersecurity
1/ #socgholish is this you? 👻
➡️UpdateInstaller.zip > Update.js
➡️Retrieves #NetSupportRAT 🐀 and batch scripts from C2
🖥️C2 IP: 188.127.231[.]11
eSentire Threat Intel
🐀 #NetSupportRAT might look harmless, but criminals love this tool - use these #KQL queries to check your environment for signs of compromise! 🕵️ github.com/reversinglabs/…
#malware #infosec #informationsecurity #cybersecurity #threatintel #threatintel ligence #microsoftsentinel
#socgholish #NetSupportRat
SocGholish Stage1 - taxes.rpacx[.]com
SocGholish Stage2 - hjgk67kg[.]xyz
SocGholish Stage3 - *.asset.tradingvein[.]xyz
NetSupportRat C2 - 52226asdiobioboioie[.]com (IP 94.158.244.38)
Observed #NetSupportRAT
A new domain has been observed trk.canadiantrk[.]site, leading to a download of Version2.exe which installs an instance of transmission-qt which then implants NetSupportRAT, C2 206.166.251[.]123.
CC Gi7w0rm, Namecheap.com
Other commodity #malware used by the group comprises a combination of remote access #trojans & information stealers such as #AsyncRAT , #NetSupportRAT , & #Rhadamanthys .
Beware of the new #CyberThreat — the remote access trojan, NetSupportRAT.
Through fraudulent updates, malware and phishing, criminals are hacking into victims’ computers and networks...
To protect your business, call our team of #CyberSecurity specialists on 01252 843014.
1/
Two-in-one: Wallet drainer & #NetSupportRAT
Mass mentions & DMs to lure -> Pokemon Stacking Cards Game (82226526)
/pokemoncards-nft.com
Notif to: 195.133.197[.]185
🚩Etherscan
0xaAcCa4Ed989A3508d37e2432ADE900B8Ce657d2F
has back-and-forth txs: 0xE497Dc4cDCCbE258968A65dEBbe2006d3B3Ad15f