NetSupport Remote Access Trojan
by Nicholas Coleman
Nematodes Medical Research Facility
INC-2025-04-21 Executive Summary & Post-Incident Review
Nicholas H. Coleman
Summary
During an inspection of the Nematode Health Facility’s enterprise network, multiple alerts flagged suspicious activity within the internal LAN segment (10.11.26.0/24).
Subsequent analysis revealed a confirmed infection of the NetSupport Remote Access Trojan (RAT) on host DESKTOP-B8TQK49 (IP: 10.11.26.183), used by a local Windows user account (oboomwald).
Threat Intelligence
- NetSupport RAT is typically spread by “bogus websites” and fake browser updates intended to socially engineer the target into granting the attacker full control over their host system.
- NetSupport RAT allows the attacker to monitor the device’s screen in real-time, to control the keyboard and mouse, upload/download files, and execute commands.
- It was originally a legitimate remote IT support program that has now been repurposed by threat actors to capture sensitive/proprietary data from organizations.
- Threat actors are increasingly using a technique called ClickFix to get victims to download NetSupport RAT. The threat actor injects a fake CAPTCHA webpage on a compromised site, with directives to instruct the victim to copy and execute malicious PowerShell commands on their host system.
Indicators of Compromise
| IOC Type | Value | Description |
|---|---|---|
| C2 IP | 194.180.191[.]64 |
Primary command and control (C2) endpoint for NetSupport RAT. Infected hosts communicated with this server over HTTPS to receive commands and send back data. |
| Malicious Domain | modandcrackedapk[.]com |
Used during initial infection for domain name resolution and SNI field in TLS. Associated with the ZPHP downloader that delivered NetSupport RAT. |
| Infected Host | 10.11.26[.]183 |
Internal system compromised and used for malicious outbound communications. |
| C2 Protocol | HTTP POST on port 443 |
NetSupport RAT communicates using encrypted HTTP POST requests to mimic legitimate web traffic and evade detection. |
| Secondary IPs | 193.42.38[.]139, 104.26.1[.]231 |
Additional IP addresses possibly used for redundancy, staging, or as decoy C2 infrastructure. |
| Exploitation | EfsRpcOpenFileRaw |
Abuse of Microsoft’s Encrypting File System RPC function. |
CVE-2021-34527 (CVSS - 8.8)
CISA PrintNightmare Vulnerability
Key Findings
Initial Access
The infection likely originated from a socially engineered fake browser update hosted on the malicious domain modandcrackedapk[.]com, associated with the ZPHP downloader.
Malware Delivery
A ZPHP JavaScript downloader was executed, resulting in the download and execution of NetSupport RAT. The RAT masquerades as a legitimate support tool, meanwhile it enables full remote access capabilities for the threat actor.
ZPHP Domain used in TLS SNI and DNS lookup. ZPHP is a malicious Downloader written in JavaScript, and is distributed through malicious or compromised websites via fake browser updates.
Command & Control (C2)
The infected host established an outbound HTTP POST connection over port 443 with the C2 server - 194.180.191[.]64, evading basic firewall rules through encrypted traffic. Additionally, the use of TLS 1.0, SMBv1 helped intentionally bypass detection.
VirusTotal scan of C2 Server
Command & Control Activity
Sample of the HTTP traffic associated with the C2 Server. NetSupport Manager/1.3 is the UserAgent associated with the RAT.
| Field | Meaning |
|---|---|
| CMD=POLL | Heartbeat check-in (recurring status message) |
| CMD=ENCD | Encrypted data transmission (RAT commands or responses) |
| ES=1 | Possibly encoding scheme/encryption step |
| DATA=… | Actual encoded or encrypted payload |
Persistence & Reconnaissance
NetSupport RAT was observed maintaining persistence via repeated check-ins and conducting reconnaissance through SMB and NetBIOS queries (including suspicious access to IPC$ shares and Kerberos-authenticated services).
Multiple alerts confirming NetSupport RAT C2 Check-in, Admin Response, and GeoLocation Request.
Exploitation
Logs show exploitation of the EfsRpcOpenFileRaw function, often related to the PrintNightmare (CVE-2021-34527) vulnerability. It is used for unauthorized access to files or lateral movement.
Alert SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt is an indicator of possible SMB enumeration or fuzzing. This in addition to IPC$ access attempts are strong signs of attempts at lateral movement. Furthermore, the threat actor utilized deprecated protocols (TLS 1.0, SMBv1) and obfuscated traffic to bypass detection systems.
Actions Taken
Isolated and reimaged infected host:
- The team immediately disconnected
10.11.26.183from the Nematode network and performed a full forensic review before reimaging.
Malicious IPs blocked
194.180.191[.]64,modandcrackedapk[.]com, and additional domains/IPs were added to the denylist across the network.
Hardening
- Disabled SMBv1 protocol
Ensured TLS 1.0 is deprecated network-wide. The more secure TLS 1.2 or TLS 1.3 are recommended instead. - Patched all systems against known PrintNightmare (CVE-2021-34527) vulnerabilities.
EDR finetuning
- Updated detection systems to flag obfuscated PowerShell usage, fake browser update patterns, and NetSupport RAT signatures.
Recommendations
It is highly recommended that Nematode conducts phishing/fake update simulation training for staff. Second – a full sweep for other compromised hosts using lateral movement detection would help rule out any additional threats. Lastly, it is strongly suggested that all Windows authentication logs are reviewed for lateral movement, privilege escalation attempts, or any unusual access patterns.
Post-Incident Conclusionary Review
Our analysis of this incident confirmed a successful compromise of the internal host (10.11.26.183) via a socially engineered malware delivery campaign, resulting in the installation and operation of the NetSupport Remote Access Trojan (RAT).
The initial infection was traced back to a malicious domain (modandcrackedapk[.]com) associated with fake browser updates. This delivered a JavaScript-based downloader (ZPHP) that ultimately dropped the RAT.
After establishing itself on the network, the RAT initiated encrypted communications with a known C2 Server (194.180.191[.]64) using obfuscated HTTP traffic over port 443. Evidence also suggests active attempts to enumerate the network environment and access the Active Directory Domain Controller (DC) - (10.11.26.3), through Remote Procedure Call (RPC) functions associated with the PrintNightmare vulnerability (CVE-2021-34527).
The extent of the lateral movement undertaken by the threat actor remains under active investigation. However, our evidence shows that the attacker established persistence, maintained reconnaissance, and potentially engaged in privilege escalation. Gaps in network security, like the presence of legacy protocols (SMBv1, TLS 1.0), the lack of network segmentation, and an insufficient EDR landscape contributed to the attacker’s ability to remain in the network.
This incident shines a light on the ongoing and constantly evolving risk posed by social engineering campaigns, and organizations’ critical need for a defense-in-depth approach, strong user education, and vigilant vulnerability assessments. The actions taken to remediate the breach are enough for now, but further attempts can only be prevented by prioritizing hardening measures and user awareness programs.
tags: malware-traffic