Threat Intel Solutions

A malicious campaign exploits user trust through deceptive websites, including spoofed Gitcodes and fake Docusign verification pages. Victims are tricked into running malicious PowerShell scripts on their Windows machines, leading to the installation of NetSupport RAT. The multi-stage attack uses clipboard poisoning and fake CAPTCHAs to deliver the malware. The campaign involves multiple domains, uses ROT13 encoding, and creates persistent infections. Similar techniques were observed in other spoofed content, including Okta and popular media apps. The attack capitalizes on user familiarity with common online interactions, emphasizing the need for vigilance and skepticism in online activities. Author: AlienVault

Related Tags:
clipboard poisoning

T1553.002

T1102.002

T1566.002

T1204.001

netsupport rat

T1547.001

T1059.001

T1059.003

Associated Indicators:
B3E879B5952988FB0C656240365DB8F01198F9D83CD2A3EC0E2A8EE172E20A11

D7FADF7EF45C475BD9A759A771D99CCF95EDFA8A0C101CE2439A07B66C2E5C72

80B274871E5024DFA9E513219FE3DF82CC8FE4255010BD5D04D23D5833962C10

1A128F6748D71D02C72BA51268BE181143405830A4E48DFA53BF3D6ED3391211

8FFACC942D1C3F45E797369A1F4CBD5DCD84372ABF979B06220236D5A5CEA649

E9FE19455642673B14C77D18A1E7ED925F23906BF11237DFAFD7FB2CBA1F666D

AB8FDDE9FB9B88C400C737D460DCBF559648DC2768981BDD68F55E1F98292C2A

B2DAA2B5AFB389828E088EC8B27C0636BDAD94B2EF71DCF8034EE601CB60D8D6

C6907ACABF2EDF0BE959C64A434E101963F7C18DCF79F116E0CE6B5CED5DD08C