AsyncRAT, NetSupport RAT, and VssAdmin Abuse for Shadow Copy Deletion

AsyncRAT is an open source remote access tool that was released in 2019 and is frequently exploited as a remote access trojan (RAT) by threat actors (1). AsyncRAT can perform multiple functions for threat actors, including:

• Keylogging;
• Providing initial access for final payload distribution;
• Establishing persistence access via remote desktop control; and
• Exfiltrating data for ransom or extortion.

This wide feature array makes AsyncRAT an attractive tool for threat actors, letting them conduct multiple malicious strategic actions – from initial access and persistence, to credential access and payload deployment – without the need for developing and maintaining their own malware variants.

Thus, threat actor attribution based on AsyncRAT deployment alone tends to be especially difficult.

The APG predicts that threat actors will very likely continue to use AsyncRAT over the next 12 months.

We base this assessment on internal Blackpoint observed attacks, corroborated with external incident reports which detail campaigns including similar and extensive use of AsyncRAT malware.

• In 2023, AT&T Alien Labs reported a spike in phishing emails featuring GIF attachments leading to a svg file, which also downloaded a highly obfuscated JavaScript file. This intrusion was followed by other obfuscated PowerShell scripts, with a final execution of an AsyncRAT client (3).
• In 2021, ESET security researchers reported that AsyncRAT was used as a part of a phishing campaign called “Operation Spalax”. The campaign used HTML attachments for AsyncRAT delivery while also integrating reflective loading techniques. The operation targeted Colombian entities, using at least 70 domains and 24 different IP addresses (2).

Blackpoint’s APG recommends the following actions to help mitigate the malicious use of AsyncRAT for initial access, persistence, and credential access.

• Monitor system activity through heuristics-based triggers and alerts, which can help identify deviations from normal or expected behavior that indicates potential malicious behavior.
• Minimize the use of – or implement strict controls on – the use of scripting languages that can help restrict the use of scripts for specific users who should not be conducting this type of activity, which can limit a threat actors’ ability to leverage scripts for malicious actions.
• Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access, security training can help lower the risk of falling victim to download malicious software or legitimate tools for malicious actions.
• Implement the practice of least privilege, which will help ensure regular user accounts are unable to install certain tools and conducting certain activities.

NetSupport Manager is a legitimate remote support tool frequently abused by multiple threat actor groups for malicious purposes (4). NetSupport RAT is a malicious spinoff of the legitimate NetSupport Manager supports multiple features for illicit purposes, including:

• File transfers,
• Remote access to compromised environments,
• Keylogging, and
• Controlling system resources.

Due to the malware’s widespread availability for both malicious and legitimate use cases, the use NetSupport RAT alone cannot be attributed to a single threat actor. Threat actors of all skill levels abuse the NetSupport tool, even if they lack the necessary technical knowledge or resources needed to use custom malware or tools.

This widespread use of NetSupport RAT leads to a variety of initial access methods; however, social engineering appears to remain a top choice for threat actors to deploy the NetSupport RAT.

The APG predicts that threat actors will likely continue to use NetSupport RAT over the next 12 months.

We base this assessment on internal Blackpoint observed attacks and external reporting on widespread use of NetSupport RAT in cyberattacks across multiple industries, as this week’s series of incidents illustrated for impacted Blackpoint partners.

• In 2024, security researchers with Perception Point reported a campaign delivering the NetSupport RAT targeting U.S.-based organizations (6). The threat actors sent phishing emails that purported to be from an accounting service, luring victims to download the attached Office Word file to view a “monthly salary report.” The threat group used OLE template manipulation, exploiting document templates to execute malicious code without detection.
• In 2023, security researchers with Malwarebytes reported that a fraud site for TradingView leveraged the NetSupport RAT to infect visitors of the site, if the site was a Windows machine (5). If the device was found to be a macOS device, the victim was targeted with Atomic Stealer malware. The goal of the attackers was to steal sensitive data from the victims.

Blackpoint’s APG recommends the following actions to help mitigate the malicious use of NetSupport RAT for malicious activities. The mitigations for NetSupport RAT activity are similar to those recommended for other malware variants, including AsyncRAT.

• Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access – as other attacks with NetSupport RAT have demonstrated – this security training helps lower the risk of falling victim to download malicious software or legitimate tools for malicious actions.
• Monitor system activity through heuristics-based triggers and alerts, which can help identify deviations from normal or expected behavior that indicates potential malicious behavior. Even if NetSupport has legitimate use cases, monitoring that alerts to potential abuse of allowlisted apps will catch threat actors attempting to disguise their activities by abusing already-installed apps.
• Minimize the use of – or implement strict controls on – the use of scripting languages that can help restrict the use of scripts for specific users who should not be conducting this type of activity, which can limit a threat actors’ ability to leverage scripts for malicious actions.
• Use multifactor authentication (MFA) and VPN, wherever feasible, to ensure only identified and authorized employees can access sensitive data and resources with an additional level of credential authentication.

VssAdmin is a legitimate Windows utility used to create, delete, and list information about shadow copies (7). It can be used to resize the shadow copy storage area, as well.

Threat actors often use allowlisted processes, applications, and utilities such as VssAdmin instead of installing custom or net-new malware to an infected system to better blend in with normal or expected network traffic, increasing their chances of a successful attack.

Threat actors will also attempt to delete shadow copies of data on victim systems. If left alone, defending security professionals could use shadow copies of any corrupted, locked, or deleted data to reestablish or return files to a past state – greatly reducing the impact of an attempted extortion or ransom demand.

The APG predicts that threat actors will very likely continue to abuse VSSAdmin to delete Shadow Copies over the next 12 months.

We base this assessment on internal Blackpoint observed attacks, corroborated by external reporting and research demonstrating threat actor abuse of VssAdmin to delete and modify shadow copies during cyberattacks.

Blackpoint’s APG has tracked at least 26 separate ransomware operators, each observed abusing the VssAdmin utility to evade detection by deleting or modify shadow copies.

• In 2023, security researchers with Microsoft released a report detailing the operations of the BlackByte ransomware operation, which included the use of VssAdmin to resize the shadow copies (8).
  • Researchers observed BlackByte using the commands “cmd /c vssadmin Resize ShadowStorge /For=B:\ /On=B:\ /MaxSize=401MB” and “cmd /c vssadmin Resize ShadowStorage /For=B:\ /On=B:\ /MaxSize=UNBOUNDED” to resize the shadow copies.
  • The goal of resizing the shadow copies is likely to ensure that when the system attempts to make a new shadow copy, there is not enough space. Thus, the data gets overwritten, and system admins and incident responders are unable to recover majority of the encrypted or deleted files.
• In May 2024, the U.S. CISA released a #StopRansomare report detailing the operations of the Black Basta ransomware group, which included the use of the VssAdmin utility to delete shadow copies (9). The group’s goal of deleting the shadow copies is to evade detection and inhibit the victim’s ability to recover their files without paying the ransom demand.

Blackpoint’s APG recommends the following actions to help mitigate threat actors’ abuse of VssAdmin to resize or delete shadow copies for defense evasion and inhibiting system recovery.

• Operate from a zero-trust mentality, which assumes that all requests to each resource is malicious and embodies aggressive and continuous monitoring and management.
• Create and maintain data backups, including offline backups that are kept separate from the network and system.
• Implement the practice of least privilege, which will help ensure regular user accounts are unable to install certain tools and conducting certain activities.
• Implement an incident response plan that includes the processes for data backup, restoration, notification processes (including partners, team members, and law enforcement), and ensuring business continuity.

1. SOCRadar’s Blog: “Campaign Alert: The Year-Long Shadow of AsyncRAT in U.S. Infrastructure” by SOCRadar on 2024-02-02
2. ESET’s Blog: “Operation Spalax: Targeted malware attacks in Colombia” by Matías Porolli on 2021-01-12
3. AT&T’s Blog: “AsyncRAT loader: Obfuscation, DGAs, decoys and Govno” by Fernando Martinez on 2024-01-05
4. Vmware’s Blog: “NetSupport RAT: The RAT King Returns” by Alan Ngo, Abe Schneider, and Fae Carlisle on 2023-11-20
5. Malwarebytes’s Blog: “Mac users targeted in new malvertising campaign delivering Atomic Stealer” by Jérôme Segura on 2023-09-06
6. Perception Point’s Blog: “Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT” by Ariel Davidpur and Peleg Cabra on 2024-03-18
7. Microsoft’s Repository: “Volume Shadow Copy Service” by Microsoft on 2022-12-07
8. Microsoft’s Blog: “The five-day job: A BlackByte ransomware intrusion case study” by Microsoft Incident Response on 2023-07-06
9. U.S. Cybersecurity & Infrastructure Security Agency’s Advisory: “#StopRansomware: Black Basta” by CISA; FBI; HHS; et. al. on 2024-05-10