#netsupportmanager — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #netsupportmanager, aggregated by home.social.
-
The website wavesandwild[.]com was compromised with the ClickFix social engineering technique to trick victims into executing malicious commands injected into their clipboard which installs and runs NetSupport RAT, a remote access tool. NetSupport RAT is based on NetSupport Manager, a legitimate tool which is frequently used by bad actors for malicious purposes. NetSupport Manager, used maliciously or otherwise, provides full and complete control over the victim’s device. Once the client has been installed, attackers can access, acquire, and manipulate any data on the device (exfiltrate data, execute additional payloads).
The gory (and potentially boring) technical details are as follows. I wanted to share these details for folks like me who track and monitor ClickFix attacks. Do NOT visit or interact with any of the below content. Thanks for sharing this attack!
———————————
Full Attack Chain:
wavesandwild[.]com (compromised site)
--> POST polygon.publicnode[.]com/polygon.drpc[.]org to perform transaction lookup for next domain: "to": "0x6300d82A6e2fabbd165E1833d95E87bD46B38D4A", "data": "0xe00fe2eb" (aka 'EtherHiding')
--> Download and process content on hxxps://sentrydb[.]org/track.php
--> Load victim's clipboard, display ClickFix splash screen
--> Victim copy and pastes malicious obfuscated command to their clipboard
--> powershell downloads and executes feinmotorik.geschenkideen-die-foerdern[.]de/index.html
--> Retrieves feinmotorik.geschenkideen-die-foerdern[.]de/clik.txt
--> Extracts and XOR-decrypts an embedded blob within the PNG file 'clik.txt'
--> Installs and runs NetSupport RAT using embedded configuration files
--> C2 communication established with 216.158.95[.]180:443, tamweelke[.]com:443, or bcrfix[.]com:443
--> Host reconnaissance command results (OS, username, date, application name (SecurityHealth), computer name, IP details) sent to hxxp://172.245.25[.]134:8787/collect, likely for victim prioritization effortsIOCs
wavesandwild[.]com - Compromised website (ClickFix)
polygon.publicnode[.]com - RPC domain lookup
polygon.drpc[.]org - Fallback RPC domain lookup
0x6300d82A6e2fabbd165E1833d95E87bD46B38D4A - wallet address containing the next stage
hxxps://sentrydb[.]org/track.php - Domain retrieved via the RPC lookup which filters victims based on response and if passes checks, delivers the ClickFix command to be pasted into the victim's clipboard
feinmotorik.geschenkideen-die-foerdern[.]de/index.html - URL in obfuscated ClickFix powershell command
feinmotorik.geschenkideen-die-foerdern[.]de/clik.txt - additional URL contacted containing the PNG file with the embedded, encrypted NetSupport RAT
ip-api[.]com/json/?fields=query,country,city - IP address lookup for victim
hxxp://172.245.25[.]134:8787/collect - Exfiltrated recon data destination stolen from victim's host
216.158.95[.]180:443 - NetSupport RAT gateway address
tamweelke[.]com:443 - NetSupport RAT gateway address
bcrfix[.]com:443 - Secondary NetSupport RAT gateway address
CH-124FF74C - index string, potential campaign ID?
29b68bb454600b0abd1aad1f861bd11f28cd6cf9cd39cec53cc36
275e5b085534f64313b50cbdcb08ecd59c57d21c96bb937f140ee92a3d27f792 - SecurityHealth.exe (NetSupport RAT)Interesting findings:
The error messages in the final Powershell script block are in Russian.
The embedded index string is CH-124FF74C (campaign identifier?).
Each stage listed above was heavily obfuscated, making reverse engineering analysis extremely tedious and time-consuming.
The malware attempts to remove all entries from the RunMRU registry key to hide the ClickFix execution evidence.
Clik.txt is not actually a TXT file but rather a PNG file which contains an embedded malicious blob along with the XOR key to decrypt and run the NetSupport RAT.
Sekoia calls this IClickFix - https://www.sekoia.com/blog/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic#clickfix #etherhiding #netsupportrat #netsupportmanager #malware #reverseengineering
-
The website wavesandwild[.]com was compromised with the ClickFix social engineering technique to trick victims into executing malicious commands injected into their clipboard which installs and runs NetSupport RAT, a remote access tool. NetSupport RAT is based on NetSupport Manager, a legitimate tool which is frequently used by bad actors for malicious purposes. NetSupport Manager, used maliciously or otherwise, provides full and complete control over the victim’s device. Once the client has been installed, attackers can access, acquire, and manipulate any data on the device (exfiltrate data, execute additional payloads).
The gory (and potentially boring) technical details are as follows. I wanted to share these details for folks like me who track and monitor ClickFix attacks. Do NOT visit or interact with any of the below content. Thanks for sharing this attack!
———————————
Full Attack Chain:
wavesandwild[.]com (compromised site)
--> POST polygon.publicnode[.]com/polygon.drpc[.]org to perform transaction lookup for next domain: "to": "0x6300d82A6e2fabbd165E1833d95E87bD46B38D4A", "data": "0xe00fe2eb" (aka 'EtherHiding')
--> Download and process content on hxxps://sentrydb[.]org/track.php
--> Load victim's clipboard, display ClickFix splash screen
--> Victim copy and pastes malicious obfuscated command to their clipboard
--> powershell downloads and executes feinmotorik.geschenkideen-die-foerdern[.]de/index.html
--> Retrieves feinmotorik.geschenkideen-die-foerdern[.]de/clik.txt
--> Extracts and XOR-decrypts an embedded blob within the PNG file 'clik.txt'
--> Installs and runs NetSupport RAT using embedded configuration files
--> C2 communication established with 216.158.95[.]180:443, tamweelke[.]com:443, or bcrfix[.]com:443
--> Host reconnaissance command results (OS, username, date, application name (SecurityHealth), computer name, IP details) sent to hxxp://172.245.25[.]134:8787/collect, likely for victim prioritization effortsIOCs
wavesandwild[.]com - Compromised website (ClickFix)
polygon.publicnode[.]com - RPC domain lookup
polygon.drpc[.]org - Fallback RPC domain lookup
0x6300d82A6e2fabbd165E1833d95E87bD46B38D4A - wallet address containing the next stage
hxxps://sentrydb[.]org/track.php - Domain retrieved via the RPC lookup which filters victims based on response and if passes checks, delivers the ClickFix command to be pasted into the victim's clipboard
feinmotorik.geschenkideen-die-foerdern[.]de/index.html - URL in obfuscated ClickFix powershell command
feinmotorik.geschenkideen-die-foerdern[.]de/clik.txt - additional URL contacted containing the PNG file with the embedded, encrypted NetSupport RAT
ip-api[.]com/json/?fields=query,country,city - IP address lookup for victim
hxxp://172.245.25[.]134:8787/collect - Exfiltrated recon data destination stolen from victim's host
216.158.95[.]180:443 - NetSupport RAT gateway address
tamweelke[.]com:443 - NetSupport RAT gateway address
bcrfix[.]com:443 - Secondary NetSupport RAT gateway address
CH-124FF74C - index string, potential campaign ID?
29b68bb454600b0abd1aad1f861bd11f28cd6cf9cd39cec53cc36
275e5b085534f64313b50cbdcb08ecd59c57d21c96bb937f140ee92a3d27f792 - SecurityHealth.exe (NetSupport RAT)Interesting findings:
The error messages in the final Powershell script block are in Russian.
The embedded index string is CH-124FF74C (campaign identifier?).
Each stage listed above was heavily obfuscated, making reverse engineering analysis extremely tedious and time-consuming.
The malware attempts to remove all entries from the RunMRU registry key to hide the ClickFix execution evidence.
Clik.txt is not actually a TXT file but rather a PNG file which contains an embedded malicious blob along with the XOR key to decrypt and run the NetSupport RAT.
Sekoia calls this IClickFix - https://www.sekoia.com/blog/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic#clickfix #etherhiding #netsupportrat #netsupportmanager #malware #reverseengineering
-
The website wavesandwild[.]com was compromised with the ClickFix social engineering technique to trick victims into executing malicious commands injected into their clipboard which installs and runs NetSupport RAT, a remote access tool. NetSupport RAT is based on NetSupport Manager, a legitimate tool which is frequently used by bad actors for malicious purposes. NetSupport Manager, used maliciously or otherwise, provides full and complete control over the victim’s device. Once the client has been installed, attackers can access, acquire, and manipulate any data on the device (exfiltrate data, execute additional payloads).
The gory (and potentially boring) technical details are as follows. I wanted to share these details for folks like me who track and monitor ClickFix attacks. Do NOT visit or interact with any of the below content. Thanks for sharing this attack!
———————————
Full Attack Chain:
wavesandwild[.]com (compromised site)
--> POST polygon.publicnode[.]com/polygon.drpc[.]org to perform transaction lookup for next domain: "to": "0x6300d82A6e2fabbd165E1833d95E87bD46B38D4A", "data": "0xe00fe2eb" (aka 'EtherHiding')
--> Download and process content on hxxps://sentrydb[.]org/track.php
--> Load victim's clipboard, display ClickFix splash screen
--> Victim copy and pastes malicious obfuscated command to their clipboard
--> powershell downloads and executes feinmotorik.geschenkideen-die-foerdern[.]de/index.html
--> Retrieves feinmotorik.geschenkideen-die-foerdern[.]de/clik.txt
--> Extracts and XOR-decrypts an embedded blob within the PNG file 'clik.txt'
--> Installs and runs NetSupport RAT using embedded configuration files
--> C2 communication established with 216.158.95[.]180:443, tamweelke[.]com:443, or bcrfix[.]com:443
--> Host reconnaissance command results (OS, username, date, application name (SecurityHealth), computer name, IP details) sent to hxxp://172.245.25[.]134:8787/collect, likely for victim prioritization effortsIOCs
wavesandwild[.]com - Compromised website (ClickFix)
polygon.publicnode[.]com - RPC domain lookup
polygon.drpc[.]org - Fallback RPC domain lookup
0x6300d82A6e2fabbd165E1833d95E87bD46B38D4A - wallet address containing the next stage
hxxps://sentrydb[.]org/track.php - Domain retrieved via the RPC lookup which filters victims based on response and if passes checks, delivers the ClickFix command to be pasted into the victim's clipboard
feinmotorik.geschenkideen-die-foerdern[.]de/index.html - URL in obfuscated ClickFix powershell command
feinmotorik.geschenkideen-die-foerdern[.]de/clik.txt - additional URL contacted containing the PNG file with the embedded, encrypted NetSupport RAT
ip-api[.]com/json/?fields=query,country,city - IP address lookup for victim
hxxp://172.245.25[.]134:8787/collect - Exfiltrated recon data destination stolen from victim's host
216.158.95[.]180:443 - NetSupport RAT gateway address
tamweelke[.]com:443 - NetSupport RAT gateway address
bcrfix[.]com:443 - Secondary NetSupport RAT gateway address
CH-124FF74C - index string, potential campaign ID?
29b68bb454600b0abd1aad1f861bd11f28cd6cf9cd39cec53cc36
275e5b085534f64313b50cbdcb08ecd59c57d21c96bb937f140ee92a3d27f792 - SecurityHealth.exe (NetSupport RAT)Interesting findings:
The error messages in the final Powershell script block are in Russian.
The embedded index string is CH-124FF74C (campaign identifier?).
Each stage listed above was heavily obfuscated, making reverse engineering analysis extremely tedious and time-consuming.
The malware attempts to remove all entries from the RunMRU registry key to hide the ClickFix execution evidence.
Clik.txt is not actually a TXT file but rather a PNG file which contains an embedded malicious blob along with the XOR key to decrypt and run the NetSupport RAT.
Sekoia calls this IClickFix - https://www.sekoia.com/blog/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic#clickfix #etherhiding #netsupportrat #netsupportmanager #malware #reverseengineering
-
The website wavesandwild[.]com was compromised with the ClickFix social engineering technique to trick victims into executing malicious commands injected into their clipboard which installs and runs NetSupport RAT, a remote access tool. NetSupport RAT is based on NetSupport Manager, a legitimate tool which is frequently used by bad actors for malicious purposes. NetSupport Manager, used maliciously or otherwise, provides full and complete control over the victim’s device. Once the client has been installed, attackers can access, acquire, and manipulate any data on the device (exfiltrate data, execute additional payloads).
The gory (and potentially boring) technical details are as follows. I wanted to share these details for folks like me who track and monitor ClickFix attacks. Do NOT visit or interact with any of the below content. Thanks for sharing this attack!
———————————
Full Attack Chain:
wavesandwild[.]com (compromised site)
--> POST polygon.publicnode[.]com/polygon.drpc[.]org to perform transaction lookup for next domain: "to": "0x6300d82A6e2fabbd165E1833d95E87bD46B38D4A", "data": "0xe00fe2eb" (aka 'EtherHiding')
--> Download and process content on hxxps://sentrydb[.]org/track.php
--> Load victim's clipboard, display ClickFix splash screen
--> Victim copy and pastes malicious obfuscated command to their clipboard
--> powershell downloads and executes feinmotorik.geschenkideen-die-foerdern[.]de/index.html
--> Retrieves feinmotorik.geschenkideen-die-foerdern[.]de/clik.txt
--> Extracts and XOR-decrypts an embedded blob within the PNG file 'clik.txt'
--> Installs and runs NetSupport RAT using embedded configuration files
--> C2 communication established with 216.158.95[.]180:443, tamweelke[.]com:443, or bcrfix[.]com:443
--> Host reconnaissance command results (OS, username, date, application name (SecurityHealth), computer name, IP details) sent to hxxp://172.245.25[.]134:8787/collect, likely for victim prioritization effortsIOCs
wavesandwild[.]com - Compromised website (ClickFix)
polygon.publicnode[.]com - RPC domain lookup
polygon.drpc[.]org - Fallback RPC domain lookup
0x6300d82A6e2fabbd165E1833d95E87bD46B38D4A - wallet address containing the next stage
hxxps://sentrydb[.]org/track.php - Domain retrieved via the RPC lookup which filters victims based on response and if passes checks, delivers the ClickFix command to be pasted into the victim's clipboard
feinmotorik.geschenkideen-die-foerdern[.]de/index.html - URL in obfuscated ClickFix powershell command
feinmotorik.geschenkideen-die-foerdern[.]de/clik.txt - additional URL contacted containing the PNG file with the embedded, encrypted NetSupport RAT
ip-api[.]com/json/?fields=query,country,city - IP address lookup for victim
hxxp://172.245.25[.]134:8787/collect - Exfiltrated recon data destination stolen from victim's host
216.158.95[.]180:443 - NetSupport RAT gateway address
tamweelke[.]com:443 - NetSupport RAT gateway address
bcrfix[.]com:443 - Secondary NetSupport RAT gateway address
CH-124FF74C - index string, potential campaign ID?
29b68bb454600b0abd1aad1f861bd11f28cd6cf9cd39cec53cc36
275e5b085534f64313b50cbdcb08ecd59c57d21c96bb937f140ee92a3d27f792 - SecurityHealth.exe (NetSupport RAT)Interesting findings:
The error messages in the final Powershell script block are in Russian.
The embedded index string is CH-124FF74C (campaign identifier?).
Each stage listed above was heavily obfuscated, making reverse engineering analysis extremely tedious and time-consuming.
The malware attempts to remove all entries from the RunMRU registry key to hide the ClickFix execution evidence.
Clik.txt is not actually a TXT file but rather a PNG file which contains an embedded malicious blob along with the XOR key to decrypt and run the NetSupport RAT.
Sekoia calls this IClickFix - https://www.sekoia.com/blog/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic#clickfix #etherhiding #netsupportrat #netsupportmanager #malware #reverseengineering
-
The website wavesandwild[.]com was compromised with the ClickFix social engineering technique to trick victims into executing malicious commands injected into their clipboard which installs and runs NetSupport RAT, a remote access tool. NetSupport RAT is based on NetSupport Manager, a legitimate tool which is frequently used by bad actors for malicious purposes. NetSupport Manager, used maliciously or otherwise, provides full and complete control over the victim’s device. Once the client has been installed, attackers can access, acquire, and manipulate any data on the device (exfiltrate data, execute additional payloads).
The gory (and potentially boring) technical details are as follows. I wanted to share these details for folks like me who track and monitor ClickFix attacks. Do NOT visit or interact with any of the below content. Thanks for sharing this attack!
———————————
Full Attack Chain:
wavesandwild[.]com (compromised site)
--> POST polygon.publicnode[.]com/polygon.drpc[.]org to perform transaction lookup for next domain: "to": "0x6300d82A6e2fabbd165E1833d95E87bD46B38D4A", "data": "0xe00fe2eb" (aka 'EtherHiding')
--> Download and process content on hxxps://sentrydb[.]org/track.php
--> Load victim's clipboard, display ClickFix splash screen
--> Victim copy and pastes malicious obfuscated command to their clipboard
--> powershell downloads and executes feinmotorik.geschenkideen-die-foerdern[.]de/index.html
--> Retrieves feinmotorik.geschenkideen-die-foerdern[.]de/clik.txt
--> Extracts and XOR-decrypts an embedded blob within the PNG file 'clik.txt'
--> Installs and runs NetSupport RAT using embedded configuration files
--> C2 communication established with 216.158.95[.]180:443, tamweelke[.]com:443, or bcrfix[.]com:443
--> Host reconnaissance command results (OS, username, date, application name (SecurityHealth), computer name, IP details) sent to hxxp://172.245.25[.]134:8787/collect, likely for victim prioritization effortsIOCs
wavesandwild[.]com - Compromised website (ClickFix)
polygon.publicnode[.]com - RPC domain lookup
polygon.drpc[.]org - Fallback RPC domain lookup
0x6300d82A6e2fabbd165E1833d95E87bD46B38D4A - wallet address containing the next stage
hxxps://sentrydb[.]org/track.php - Domain retrieved via the RPC lookup which filters victims based on response and if passes checks, delivers the ClickFix command to be pasted into the victim's clipboard
feinmotorik.geschenkideen-die-foerdern[.]de/index.html - URL in obfuscated ClickFix powershell command
feinmotorik.geschenkideen-die-foerdern[.]de/clik.txt - additional URL contacted containing the PNG file with the embedded, encrypted NetSupport RAT
ip-api[.]com/json/?fields=query,country,city - IP address lookup for victim
hxxp://172.245.25[.]134:8787/collect - Exfiltrated recon data destination stolen from victim's host
216.158.95[.]180:443 - NetSupport RAT gateway address
tamweelke[.]com:443 - NetSupport RAT gateway address
bcrfix[.]com:443 - Secondary NetSupport RAT gateway address
CH-124FF74C - index string, potential campaign ID?
29b68bb454600b0abd1aad1f861bd11f28cd6cf9cd39cec53cc36
275e5b085534f64313b50cbdcb08ecd59c57d21c96bb937f140ee92a3d27f792 - SecurityHealth.exe (NetSupport RAT)Interesting findings:
The error messages in the final Powershell script block are in Russian.
The embedded index string is CH-124FF74C (campaign identifier?).
Each stage listed above was heavily obfuscated, making reverse engineering analysis extremely tedious and time-consuming.
The malware attempts to remove all entries from the RunMRU registry key to hide the ClickFix execution evidence.
Clik.txt is not actually a TXT file but rather a PNG file which contains an embedded malicious blob along with the XOR key to decrypt and run the NetSupport RAT.
Sekoia calls this IClickFix - https://www.sekoia.com/blog/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic#clickfix #etherhiding #netsupportrat #netsupportmanager #malware #reverseengineering
-
New blog post! In this one I take a look at a malicious installer that installs NetSupport Manager onto an unwitting victim, and I walk through artifacts you can find when it's used as malware.
https://forensicitguy.github.io/netsupport-manager-malicious-installer/
-
New blog post! In this one I take a look at a malicious installer that installs NetSupport Manager onto an unwitting victim, and I walk through artifacts you can find when it's used as malware.
https://forensicitguy.github.io/netsupport-manager-malicious-installer/
-
New blog post! In this one I take a look at a malicious installer that installs NetSupport Manager onto an unwitting victim, and I walk through artifacts you can find when it's used as malware.
https://forensicitguy.github.io/netsupport-manager-malicious-installer/
-
New blog post! In this one I take a look at a malicious installer that installs NetSupport Manager onto an unwitting victim, and I walk through artifacts you can find when it's used as malware.
https://forensicitguy.github.io/netsupport-manager-malicious-installer/