Hundreds of US employees have been targeted in a new email attack that uses accounting lures to distribute malicious documents that deploy a malicious remote access tool known as NetSupport RAT. The attackers use a combination of detection evasion techniques including Office Object Linking and Embedding (OLE) template manipulation and injection as well as Windows shortcut files with PowerShell code attached.
“NetSupport RAT is a spin-off of the legitimate NetSupport Manager, a remote technical support app, exemplifying how powerful IT tools can be misappropriated into malicious software,” researchers from security firm Perception Point said in their report. “Once installed on a victim’s endpoint, NetSupport can monitor behavior, capture keystrokes (keylogger), transfer files, commandeer system resources, and move to other devices within the network — all under the guise of a benign remote support software.”
