Cybersecurity researchers are calling attention to a new campaign dubbed JS#SMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT.
The attack chain, analyzed by Securonix, involves three main moving parts: An obfuscated JavaScript loader injected into a website, an HTML Application (HTA) that runs encrypted PowerShell stagers using “mshta.exe,” and a PowerShell payload that’s designed to download and execute the main malware.
“NetSupport RAT enables full attacker control over the victim host, including remote desktop access, file operations, command execution, data theft, and proxy capabilities,” researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said.
There is little evidence at this stage to tie the campaign to any known threat group or country. The activity has been found to target enterprise users through compromised websites, indicative of a broad-strokes effort.
The cybersecurity company described it as a multi-stage web-based malware operation that employs hidden iframes, obfuscated loaders, and layered script execution for malware deployment and remote control.
In these attacks, silent redirects embedded into the infected websites act as a conduit for a heavily scrambled JavaScript loader (“phone.js”) retrieved from an external domain, which then profiles the device to determine whether to serve a full-screen iframe (when visiting from a mobile phone) or load another remote second-stage script (when visiting from a desktop).
The invisible iframe is designed to direct the victim to a malicious URL. The JavaScript loader incorporates a tracking mechanism to ensure that the malicious logic is fired only once and during the first visit, thereby minimizing the chances of detection.
“This device-aware branching enables attackers to tailor the infection path, hide malicious activity from certain environments, and maximize their success rate by delivering platform-appropriate payloads while avoiding unnecessary exposure,” the researchers said.
The remote script downloaded in the first stage of the attack lays the foundation by constructing at runtime a URL from which an HTA payload is downloaded and executed using “mshta.exe.” The HTA payload is another loader for a temporary PowerShell stager, which is written to disk, decrypted, and executed directly in memory to evade detection.
Furthermore, the HTA file is run stealthily by disabling all visible window elements and minimizing the application at startup. Once the decrypted payload is executed, it also takes steps to remove the PowerShell stager from disk and terminates itself to avoid leaving as much forensic trail as possible.
The primary goal of the decrypted PowerShell payload is to retrieve and deploy NetSupport RAT, granting the attacker complete control over the compromised host.
“The sophistication and layered evasion techniques strongly indicate an actively maintained,…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
