Fire Eye cybersecurity esperts discover a new malware campaign that leaverages compromised sites to spread fake updates with a RAT payload. The aim is to gain control of infected machines
There is a new malware campaign ongoing that leverages compromised sites to spread fake updates. It has been discovered by cybersecurity experts of Fire Eye. In some cases – as the company reports on its blog -, the payload was the NetSupport Manager remote access tool (RAT). NetSupport Manager is a commercially available RAT that can be used legitimately by system administrators for remotely accessing client computers. However, malicious actors are abusing this application by installing it to the victims’ systems without their knowledge. This to gain unauthorized access to their machines. Moreover, the analysts observed two variants of cyber-attack with different persistence mechanisms. In the first variant, the malware author uses a RUN registry entry to remain persistent in the system. In the second, the author uses the shortcut file (named desktop.ini.lnk), which is hosted on the server. It downloads the shortcut file and places it into the Startup folder.
The Infection Vector, masqueraded as Adobe Flash, Chrome, and FireFox updates