Attackers used a specially crafted Pokemon NFT card game website to distribute the NetSupport remote access tool to control victim devices.
Website “Pokemon GO”[.]io’, which is still online at the time of writing, claims to be home to a new NFT card game built around the Pokemon franchise, offering users strategic fun and an NFT return on investment. .
Given the popularity of both Pokémon and NFTs, it is not difficult for malicious portal operators to lure viewers to their sites through malspam, social media posts, and so on.
Clicking the “Play on PC” button downloads an executable that looks like a legitimate game installer, but actually installs the NetSupport Remote Access Tool (RAT) on the victim’s system.
The operation was revealed by an analyst seconds‘beta-pokemoncards’, reported that there was also a second site used in the campaign[.]io” but then went offline.
The first signs of this campaign’s activity appeared in December 2022, but previous samples taken from VirusTotal showed the same operator pushing fake Visual Studio files in lieu of Pokémon games. rice field.
Drop NetSupport RAT
The NetSupport RAT executable (‘client32.exe’) and its dependencies will be installed in a new folder in the %APPDATA% path. These are set to ‘hidden’ to help avoid detection by victims performing manual checks on their file systems.
Additionally, the installer creates an entry in the Windows Startup folder to ensure the RAT runs on system startup.
Since the NetSupport RAT (NetSupport Manager) is a legitimate program, attackers commonly use it in hopes of evading security software.
Attackers can remotely connect to a user’s device to steal data, install other malware, or even attempt to spread it over the network.
Although NetSupport Manager is a legitimate software product, it is commonly used by attackers as part of malicious campaigns.
2020, Microsoft warned A phishing actor using a COVID-19 themed Excel file to drop the NetSupport RAT onto the recipient’s computer.
August 2022, Campaigns targeting WordPress sitesContains a fake Cloudflare DDoS protection page with NetSupport RAT and Raccoon Stealer installed on the victim.
NetSupport Manager supports numerous connectivity options including remote screen control, screen recording, system monitoring, remote system grouping for better control and network traffic encryption.
However, the consequences of such infections are widespread and severe, mostly related to unauthorized access to users’ sensitive data and further malware downloads.
