Netsupport Manager 10.5 Full 282
Hedy Madrid
In January 2020, the Cortex XDR Managed Threat Hunting team, part of Unit 42, identified a malicious Microsoft Word document, disguised as a password-protected NortonLifelock document, being used in a phishing campaign to deliver a commercially available remote access tool (RAT) called NetSupport Manager. Using a fictitious NortonLifelock document to entice the user to enable macros makes this particular attack interesting to us.
This activity employs evasion techniques to evade both dynamic and static analysis and utilizes the PowerShell PowerSploit framework to carry out the installation of the malicious file activity. Through additional analysis, we identified related activity dating back to early November of 2019.
The macro obfuscates all strings using multiple labels on Visual Basic for Applications (VBA) forms, which contain two characters that are eventually linked together to construct the final command to download and execute the RAT on the victim.
The server that is serving view.php appears to be filtering on the user-agent string, as visiting the site with a browser displays a standard image for the webpage. Note this domain appears to be a legitimate domain, which has been compromised and is being used by these operators.
Figure 6. HTTP GET request to view.php on quickwaysignstx[.]comIf the user-agent string in the request is Windows Installer, an MSI file is returned. This user-agent string is part of the msiexec command, further supporting that the payload will only be downloaded when using msiexec. The MSI payload (SHA256: 41D27D53C5D41003BC9913476A3AFD3961B561B120EE8BFDE327A5F0D22A040A) was built using an unregistered version from www.exemsi[.]com with the title of MPZMZQYVXO patch version 5.1.
This version string appears to be random, as several other strings were noted during an analysis of related activities. The string is displayed when MSI is run. Once downloaded, the MSI will execute using the /q parameter to suppress any Windows dialogs from the user. A similar activity was reported in November 2019.
The PowerShell script appears to have been generated using the open-source script Out-EncryptedScript.ps1 from the PowerSploit framework. It contains a blob of data that is obfuscated via base64 and is TripleDES encrypted with a cipher mode of Cipher Block Chain (CBC).
It should be noted that the IV used in this sample would most likely be different from other samples generated by PowerSploit. Also, the 16 byte IV would be truncated to 8 bytes, as IV block sizes are 8 bytes in length. The decrypted PowerShell script looks like:
Once the main NetSupport Manager executable (presentationhost.exe) is started, it beacons to the domain geo.netsupportsoftware[.]com to retrieve geolocation of the host followed by an HTTP POST to [.]182/fakeurl.htm
It should be noted that the original name of NetSupport Manager is client32.exe and it was likely changed to presentationhost.exe to avoid any suspicions. Example of traffic sent to the target domain:
While hunting for related activity on all XDR customers, we identified other files likely related to this campaign activity. This related activity ranges in date from the beginning of November 2019 through the end of January 2020.
Throughout the first half of November, all related activities used email attachments containing the name of an individual publicly associated with the target company or utilizing the name of a public figure. Most public figures referenced belonged in the film or print industry. All emails were also sent using a random protonmail[.]com email address and contained email subjects related to refund status or unauthorized credit card transactions. Beginning at the end of November and continuing into January 2020, the mail attachments changed and were instead named as .doc and sent from email addresses using domains that were registered within one day of the observed activity. The email subjects contained the same trend reusing themes associated with refunds, as well as transaction and order inquiries. While it is unclear what the overall motivations of this activity is, these changes may increase the likelihood of a recipient opening the email attachment and indicate a desire to gain access to the target network.
Palo Alto Networks customers are protected from this threat via multiple services. Our threat prevention platform detects both the NetSupport Manager file along with the related payloads, including URL retrieval. Cortex XDR customers are further protected by behavioral indicator signatures. AutoFocus users can track related activities using the NetSupport Manager tag.
Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit www.cyberthreatalliance.org. (This is added to blogs pre-shared with the CTA, when loaded into WordPress it will be added when appropriate).
The reason we can make these assumptions is due to the structure of WinRAR self-extracting files. The first portion of the file is a Windows WinRAR SFX module, similar to the structure of a 7-zip SFX module. After the bounds of that executable ends, a RAR archive is appended to the SFX module to complete the file. The executable code being a WinRAR SFX module means that ANY installer in the world that uses the same version of SFX module will have the same import table and rich header hashes. Malicious and legitimate. And since the archive is appended ot the end of the module we can simply dump the archive out and obtain whatever gets installed.
For this part of the post I obtained a network traffic PCAP file from the Tria.ge behavioral report for this sample: -3et5gaeg4y/behavioral2. The network traffic for NetSupport manager is pretty easy to spot with the right telemetry and rules. From this network traffic, multiple Suricata alerts fired:
Command and control (C2) frameworks often support multiple platforms, and PowerShell Empire is no different. In older days, there was a Python Empyre version that eventually merged into the full Em...
Self-extracting installers are an awesome way to distribute software because they require very little overhead and minimal configuration. Because of this, some malware threats use these SFX files t...
So, we start with finding out what NetSupport Manager Gateway actually is; a piece of software that allows remote administration and access to hosts from a centralised manager. The Gateway aspect is a single interface to ease paths through firewalls. In other words, the key to me getting inside your network!
As we have a case for a valid key and an invalid key, we have the basic test steps for a brute force attack, basically loop through a dictionary or programmatically derived keys until we get a reply with MORE=0.
The only thing we need to do first is to work out how the hash is derived. As the hash is composed of alphanumeric characters it looks to be base64 encoded, passing this through a decoder gives us the binary numbers:
That works out to be 520 guesses a second, talking from one virtual machine to another, running on the same host which should have little network latency. This is unfeasible for a real attack: the key size can be from 8 to 15 characters and although it is case insensitive it allows numeric and special characters. Even assuming that only alphanumeric passwords are going to be used and the key is the minimum size of 8 characters that give us a possibility of:
Looking at the known vulnerabilities associated with the service, the most notable was a buffer overflow Not wanting to potentially cause disruption to hundreds of clients running the exploit against all of them I needed to find the version of the software running and also see if any of the hosts could be taken over using no authentication, for the quick win.
Downloading an evaluation copy of the software from NetSupport's website revealed the software provided its own proprietary scripting language (which looked a bit like VBScript) to help automate tasks. Although I couldn't find any manuals on using the scripting language, the examples provided with the software gave enough information to mash up a script to find all clients running the NetSupport client, check their version and check if authentication was required. This was all I needed for the time being.
So using the NetSupport scripting engine I was able to find the versions of the software running on the hundreds of hosts on the network and target those that may be vulnerable. More notable were the number of hosts running with no authentication required. Of course the power of this application can allow anyone to compromise hosts easily allowing for remote commands, file uploads and total control of the clients on the network. Therefore due care and attention should be applied when running it on your corporate network and at the very least ensure that all clients require a strong password before the manager can connect.
It was a bit surprising there isn't more free testing tools out there for this service. There are public exploits available and the natural follow up to this would involve writing my own test script without the need to use the NetSupport Manager to run the script. I couldn't find any reference to the NetSupport Manager packet format. I did perform some quick protocol analysis on port 5405 between a manager and client and wrote a quick nmap script to output the response from the client when sending it a query (captured with Wireshark) from a manager which worked in the test environment but didn't work in the customer environment. I'll carry out further testing and post it in my next blog update.
b1e95dc632