Threat officials have observed an increasingly popular Clickfix technology to provide a remote access trojan named NetSupport Rat since early January 2025.
Net support rats that are normally propagated through fake websites and fake browser updates, have full control over the victim’s host to attackers, monitor the device’s screen in real time, and control the keyboard and mouse commands that allow for malicious releases and execution, uploading and downloading files.
Originally known as Netsupport Manager, it was developed as a legal remote IT support program, but was later reused by malicious actors, targeting organizations, screenshots, audio, video, files, etc. We have captured confidential information.
“Clickfix is a technique used by threatening users to inject fake Captcha web pages into compromised websites, and users can use malicious PowerShell commands to download and run malware payloads. I will tell you to follow specific steps to copy and run,” Esentire said in the analysis.
In the attack chain identified by a cybersecurity company, PowerShell commands are used to download and run the NetSupport RAT client from a remote server that hosts malicious components in the form of PNG image files.
The Clickfix approach is also used to propagate updated versions of Lumma Stealer malware to decrypt configuration files containing a list of command and control (C2) servers using Chacha20 Cipher, so that’s why development will be done.
“These changes provide insight into the evasion tactics employed by developers who are actively working to avoid current extraction and analytical tools,” Esentire said.
Source link
