Threat actors are targeting the education, government and business sectors with a remote access trojan called NetSupport RAT.
“Delivery mechanisms for the NetSupport RAT include fraudulent updates, drive downloads, use of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns,” said the researchers at VMware Carbon Black in a report shared with The Hacker News.
The cybersecurity firm says it has detected no less than 15 new infections related to the NetSupport RAT in the past few weeks.
While NetSupport Manager started out as a legitimate remote administration tool for technical assistance and support, malicious actors used the tool for their own benefit, using it as a beachhead for subsequent attacks.
The NetSupport RAT is usually downloaded onto the victim’s computer via fraudulent websites and fake browser updates.
In August 2022, Sucuri detailed a campaign where compromised WordPress sites were used to display fraudulent Cloudflare DDoS protection pages that led to the distribution of the NetSupport RAT.
“Once installed on a victim’s device, NetSupport can monitor behavior, transfer files, manipulate computer settings, and transfer to other devices within the network,” the researcher said.