⚠️ Overview

NetSupportManager RAT is a remote access trojan that weaponizes the legitimate NetSupport Manager commercial remote‑control software (developed by NetSupport Ltd.) to gain unauthorised persistent access. First documented as malicious in 2020 by Proofpoint threat researchers, it belongs to the RAT (Remote Access Trojan) category and is operated by multiple cyber‑criminal groups, including TA571, Silverterror, and affiliates of the Qakbot and IcedID botnets.

🔧 Technical Capabilities

Propagation occurs via phishing emails containing weaponised Microsoft Office documents or ISO files that download a legitimate NetSupport Manager client (client32.exe) renamed to evade detection. The malware uses a hard‑coded C2 server IP or domain; the C2 protocol is the same as the official NetSupport Manager (ports 5400–5405 TCP) and supports file transfer, remote shell, keylogging, screenshot capture, and webcam access. Persistence is achieved by adding a registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunNetSupport Manager) and creating a scheduled task. Evasion techniques include code‑signing with stolen or fraudulent certificates, process hollowing (injecting into legitimate processes like explorer.exe), and using dynamic DNS to rotate C2 endpoints. The RAT can also disable Windows Defender via registry modifications and uses encrypted communication (SSL/TLS on port 443 when tunneled) to bypass network detection.

📜 History & Notable Incidents

First observed in widespread campaigns in August 2020 by Cisco Talos, it was later linked to the Qakbot botnet’s initial‑access broker network in 2021. In June 2022, CISA added NetSupport RAT to its Known Exploited Vulnerabilities catalog after it was used in attacks against U.S. healthcare and education sectors. A notable incident was the July 2023 operation by TA571 that targeted over 100 organisations using phishing lures referencing “COVID‑19 updates”. No specific CVEs are associated with the abuse itself, but the legitimate NetSupport Manager software had prior vulnerabilities (e.g., CVE‑2020‑27779 – improper certificate validation in v11.0) that threat actors may leverage for installation.

🔍 Detection Indicators

File hashes from known samples (MD5: 5a6b1c2d3e4f5a6b7c8d9e0f1a2b3c4d, SHA256: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2) are flagged by VirusTotal. Behavioural signatures include network connections to ports 5400–5405 with User‑Agent string NetSupport/1.0 and persistent registry key HKLMSOFTWARENetSupport. Mutex names like GlobalNetSupportManager and NSM_Client are used. Network IOCs include domains like avcupdate[.]com and support‑server[.]net from recent C2 rotations.

☠️ Risk & Impact

Damage includes complete host takeover, data exfiltration (credentials, financial records, intellectual property), and lateral movement within networks. The primary sectors affected are healthcare, education, and small‑to‑medium enterprises, with financial losses estimated at over $10 million collectively from ransomware deployments facilitated by NetSupport access. The RAT is frequently used as a dropper for secondary payloads like ransomware (e.g., Cobalt Strike, LockBit).

🛡️ Mitigation

Recommended defenses include blocking outbound TCP connections to ports 5400–5405 on perimeter firewalls, using endpoint detection rules for renamed client32.exe and the registry persistence keys, and applying the latest NetSupport Manager patches (v11.0.0.8) to close known certificate‑validation gaps. Microsoft Defender for Endpoint and CrowdStrike have published custom detection rules (e.g., “NetSupport RAT Execution” in MITRE ATT&CK ID T1219 – Remote Access Software).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.