Phishing Attacks Now Exploit Legitimate Software for Malicious Purposes

Cybercriminals can be often seen using commercially available legitimate software like NetSupport Manager to carry out cyberattacks on targeted networks.

What happened

The NetSupport Manager is often used by threat actors for targeting users from the USA, Netherlands, and Germany, although other countries might be affected as well. Threat actors using the NetSupport Manager as a Remote Access Trojan (RAT) have been mainly observed using traditional phishing methods to launch attack campaigns.

  • In May 2020, Microsoft warned of an ongoing COVID-19 themed campaign, in which hackers were sending phishing emails pretending to be from the Johns Hopkins Center as an update on the number of Coronavirus-related deaths in the United States.
  • In this massive campaign, NetSupport Manager RAT was being distributed via COVID-19 phishing emails containing malicious Excel attachments.

Other recent attacks

  • In April 2020, a hacker named TA4562 targeted energy, manufacturing industry, marketing/advertising, technology, IT, and construction companies with ServLoader and the NetSupport Manager RAT to steal user credentials using a lure around a missed zoom meeting.
  • In March 2020, TA505 group had launched a business email compromise-style phishing campaign to target businesses in Germany. The attack targeted human resources executives using the NetSupport Manager remote control administration software for intel-gathering and data theft.
  • In February 2020, hackers were found spreading a malicious Microsoft Word document disguised as a password-protected NortonLifelock document to install and deliver NetSupport Manager RAT. 
  • In the same month, another phishing campaign targeted well-known twenty-seven companies with specially crafted emails that pretend to be from the company's vendor or client to deliver NetSupport Manager as final payload.

Fake update notifications

NetSupport Manager RAT has been used to compromise websites and trick users into downloading it via fake browser or software update alerts.
  • In November 2019, attackers were seen targeting the compromised content management system (CMS) sites (based on WordPress, Joomla, Drupal, and others) to deliver the NetSupport Manager RAT to the victims.
  • In September 2019, a malicious redirection campaign dubbed FakeUpdates (SocGholish), using Domen toolkit, leveraged compromised websites to fake browser and software update alerts to spread NetSupport Manager RAT.
  • In April 2018, compromised sites were used to spread fake updates masquerading as Adobe Flash, Chrome, and Firefox updates to install and infect the final payload NetSupport Manager RAT.
  • The first known attack was in September 2017, when a malware campaign was spotted using HoeflerText Pop-Ups to push NetSupport Manager RAT to target Google Chrome users.

Stay alert

Users should update their applications and web browsers only with official patches provided by the software developers. Use antivirus or anti-spyware software to automatically eliminate malicious files. Avoid posting email addresses publicly to avoid spam and phishing emails.