New JS#SMUGGLER Campaign Drops NetSupport RAT Through Infected Sites

Securonix Threat Research has uncovered a sophisticated new malware campaign, dubbed JS#SMUGGLER, which is actively deploying the NetSupport Remote Access Trojan (RAT) through a multi-stage infection process. The campaign, analyzed by Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee, aims to establish complete and persistent remote control over victim computers. This attack chain is meticulously designed in three distinct stages, employing various evasion techniques to bypass standard security defenses and ultimately grant threat actors full, secret access to compromised systems, allowing for comprehensive surveillance and data exfiltration.

The initial vector for JS#SMUGGLER involves users visiting compromised websites, which then load an obfuscated JavaScript loader. This script, often sourced from domains such as boriver.com, performs environmental checks, proceeding with the full infection only if a desktop device is detected. A notable evasion tactic is the script’s ability to execute only once per user, maintaining a low profile before fetching the subsequent stage from domains like stoneandjon.com. The obfuscation itself is highly intricate, with malicious instructions cleverly disguised among thousands of benign or random characters within comment blocks, specifically crafted to fool automated security checks.

Following the initial JavaScript execution, the second stage unfolds with the silent deployment of a secret HTML Application (HTA). This HTA runs completely unseen leveraging the legitimate Windows program mshta.exe. Critical to its stealth, the code embedded within this HTA is heavily protected by multiple layers of encryption, including AES-256-ECB, Base64, and GZIP compression. This complex encoding ensures that the malicious payload only fully decodes and executes in the computer’s memory, thereby avoiding the creation of a physical file on the hard drive that antivirus solutions could easily detect. The final step in this chain involves the installation of NetSupport RAT, with PowerShell code fetching a compressed file from domains such as kindstki.com. While NetSupport Manager is a legitimate IT administration tool, its deployment in this context signifies its abuse as a potent RAT.

Once NetSupport RAT is established, threat actors gain extensive capabilities, including full remote desktop control, the ability to browse and steal files, execute arbitrary commands, and conduct surveillance. To guarantee persistent access, the malware extracts its components into a seemingly innocuous folder, typically C:\ProgramData\CommunicationLayer**, and creates a fake Startup shortcut, such as **WindowsUpdate.lnk. This persistence mechanism ensures the RAT automatically launches every time the victim logs in, underscoring the professional and active nature of this operation. Security teams are advised to bolster endpoint defenses to detect suspicious script activity and unauthorized process execution, and users should carefully validate all software downloads to mitigate risks from such multi-layered threats.

To read the complete article check out the link: https://hackread.com/jssmuggler-netsupport-rat-infected-sites/.