While the false coral snake uses disguise to appear dangerous, hackers use disguise to make malware appear safe.
While the false coral snake uses disguise to appear dangerous, hackers use disguise to make malware appear safe.
Security researchers have identified a malicious campaign in which cyber-criminals used compromised websites to distribute malware under the guise of updates to popular applications, including Adobe Flash, Chrome and FireFox. In several cases, the legitimate remote access tool (RAT) of NetSupport Manager was distributed through updates.

NetSupport Manager is a legitimate, commercially available tool used by administrators to remotely access users' computers. But hackers have taken advantage of this tool by installing it on victim's computers. 

According to a blog post, attackers distribute the tool through hacked sites and disguise it as updates to popular applications. If a user installs an update, a malicious JavaScript file is downloaded to their device. 

The malware collects system information and sends it to a C&C server. After receiving further commands from the server, it then executes another JavaScript file to deliver the final payload.

The malware's developers have used several levels of obfuscation to the original JavaScript file and attempted to complicate the analysis of the second JavaScript file. 

Once executed, the JavaScript file initiates a connection to the C&C server and sends the tid value with the current date of the system in an encrypted format. The script then decrypts the server's response and executes it as a function called step2. 

This function collects various system information, such as architecture, computer name, user name, processor, OS, domain, manufacturer, model, BIOS version, security solutions, MAC address, keyboard, display controller configuration, and process list. In response, the server sends a function called step3 and a file called Update.js, which in turn loads and executes the final malicious payload. 

The malware also uses PowerShell commands to download files from the server, including a standalone 7zip executable file that contains a remote access tool, and a batch script for installing the NetSupport client on the system.

The script can also disable Windows error reporting and application compatibility, adding the executable file to the list of allowed programs, downloading the shortcut to the Startup folder, hiding specific files, deleting artifacts, etc. 

By using NetSupport Manager, attackers can gain remote access to hacked systems, launch applications, receive location data, and steal system information. 

Researchers added that the JavaScript file also loads a txt file containing a list of IP addresses that can be hacked. These IP addresses are located mainly in the US, Germany and the Netherlands. 

“RATs are widely used for legitimate purposes, often by system administrators. However, since they are legitimate applications and readily available, malware authors can easily abuse them and sometimes can avoid user suspicion as well,” said Sudhanshu Dubey, a security researcher at Fireeye.

Luke Somerville, head of special investigations at Forcepoint, told SC Media UK that the use of ‘fake updates' is something we have been seeing for some time.

“We recently spoke about the UDPoS malware, a family which is consistently disguised as a software update to important system and administration software. Overall, the technique is probably about halfway up the clever spectrum: it's been around for quite some time and it couldn't be described as particularly innovative in modern times, but end-users are very used to seeing and accepting prompts for software updates to the point where many experience ‘update request fatigue'. Malicious actors don't need to innovate or change lure techniques when their existing tricks continue to be effective,” he said.

Barry Shteiman, director of Threat Research at Exabeam, told SC Media UK that organisations need to be able to detect unusual activity from valid machines and users, which is why behavioural analytics has grown so quickly over the last couple of years. 

“While standard security technology focuses on “can you access this data?” behavioural analytics focuses on “should you be accessing this data?” – this is much more useful for detecting threats such as RATs, which can compromise entire corporate machines. Behavioural analytics is also the only way to get real insight into the insider threat. It can tell an organisation when someone is doing something that is unusual and risky, on an individual basis and compared to peers,” he said.