The threat actors employed a persistent phishing campaign, primarily distributing malicious JS scripts disguised as various business documents within ZIP archives, which are initially HTA files and were later transitioned to JS format.
To enhance credibility, the attackers frequently included authentic documents related to the targeted individuals or organizations within the archives.
The distribution method remained consistent throughout the campaign, emphasizing social engineering tactics to deceive victims into executing the malicious scripts.
Attackers initially used a small, unconventional PNG-based script to download and execute a malicious BAT file, which in turn installed the NetSupport RAT, a legitimate remote management tool often abused for malicious purposes.
The RAT establishes a connection to the attacker’s servers, allowing remote control of the infected machine by leveraging easily accessible Windows utilities and a well-known tool to achieve its malicious goals.
A malicious JavaScript script, disguised as a legitimate Next.js file, downloads an intermediary script from a remote server, which fetches a decoy text document and the NetSupport RAT installer.
The installer is saved to the %APPDATA%\EdgeCriticalUpdateService directory and configured to run automatically. The script leverages a novel tactic of using meaningless text documents as bait to lure victims into opening the malicious attachment.
It is also disguised as a legitimate procurement request and downloads and executes a malicious NSIS installer, which deploys a Remote Manipulator System (RMS) backdoor, leveraging DLL sideloading to bypass security measures.
The RMS backdoor establishes a persistent connection to a remote server, enabling attackers to remotely control the compromised system, steal sensitive data, and execute arbitrary commands, while the attack chain also includes the deployment of RDP Wrapper to facilitate remote desktop connections.
A latest variant (Version D) of NetSupport RAT delivery uses a different infection chain compared to Version B, which starts with a JavaScript file (e.g., “purchase request from LLC <company> No. 3.js”) that fetches a second script from a remote location, and instead of directly downloading the RAT installer, retrieves an intermediate PowerShell script.
The PowerShell script then downloads and unpacks the NetSupport RAT archive (ngg_cl.zip) from another web server. Interestingly, the actual NetSupport RAT binary inside the archive remains the same as the one used in Version B.
The evolution of the JS+Embedded NSM ZIP attack has seen significant changes, as initially, the NetSupport RAT was downloaded from an external source. However, in June 2023, the attackers embedded the ZIP archive directly into the script, increasing its size.
To further obfuscate the attack, the file header comment was replaced with a legitimate library comment. In subsequent iterations, the RAT was split into multiple archives, and the use of PDF documents as bait replaced the previous text-based approach.
According to Secure List, TA569 employs a multi-stage attack, initially leveraging BurnsRAT or NetSupport RAT for remote access. Subsequently, they often install stealers like Rhadamanthys or Meduza to exfiltrate sensitive data and sell compromised systems to other threat actors for ransomware deployments.
While the primary focus appears to be financial gain, the group may also collect valuable information for future attacks, as evidenced by earlier campaigns that directly distributed Rhadamanthys.