CrowdStrike BSOD Help, Advanced IP Scanner, TeamViewer, NetSupport RAT, & AsyncRAT

Advanced IP Scanner is a free network scanner used to analyze local area networks (LANs) (3), and can:

• Show all network devices,
• Grant access to shared folders, and
• Remotely control and switch off computers.

Advanced IP Scanner has been frequently abused by threat groups for reconnaissance and discovery activities. In fact, the Adversary Pursuit Group detailed an incident last week that reviewed the use of Advanced IP Scanner by threat actors, combined with additional abuse of remote desktop protocol (RDP) and multiple brute force attempts to access the environment (4).

TeamViewer is a remote administration tool that can be used to remotely access machines and conduct regular maintenance activities such as system updates, as well as remote installation and removal of software and services.

Threat actors often find remote management tools an attractive target to exploit and abuse during cyberattacks (5), due to:

• The access TeamViewer and other remote admin tools provide;
• The ability to remain undetected and blend into normal environment traffic, evading EDR and AV detections; and
• The potential for persistent access to compromised networks.

Arechclient2 is a .NET RAT with numerous capabilities, including multiple stealth functions. Blue teams and security researchers have previously observed threat actors using Arechclient2 malware to conduct a wide variety of malicious activities (2), including:

• Profiling victim systems;
• Stealing information, such as browser and crypto-wallet data; and
• Launching a hidden secondary desktop to control browser sessions.

The APG predicts that threat actors will very likely continue to abuse legitimate tools – such as Advanced IP Scanner for discovery and TeamViewer for persistence – over the next 12 months.

We assesses that threat actors will very likely continue to abuse legitimate tools, such as Advanced IP Scanner and TeamViewer, over the next 12 months. This assessment is based on internal Blackpoint observed attacks, as well as external incident reports detailing the abuse of these tools during cyber incidents.

The APG has tracked at least 21 ransomware operations that have been observed using Advanced IP Scanner during reported incidents, including:

• INC Ransom
• Akira
• Phobos

We’ve also tracked at least four ransomware operations that have used TeamViewer during reported incidents, including:

• BianLian
• LockBit
• Trigona

As for external reports, a particularly relevant report published on the abuse of TeamViewer and other RMM tools just last month.

In June 2024, the Health Information Sharing and Analysis Center (Health-ISAC) issued a warning related to threat actors exploiting the TeamViewer software to gain persistent access to victim network.

The warning related to APT29’s (AKA Cozy Bear, Midnight Blizzard) reported compromise of TeamViewer (6). Threat actors target RMM tools, such as TeamViewer because these tools are often integrated into client networks in a way that provides privileged access to the threat actors. Threat actors are very likely going to continue both targeting RMM tools for compromise to access their clients and deploying the tools for remote access during active incidents over the next 12 months.

Blackpoint’s APG recommends the following actions to help mitigate the malicious abuse of legitimate tools such as Advanced IP Scanner and TeamViewer.

• Enable multi-factor authentication (MFA), which can help identify malicious or anomalous logins and require an additional step for securing user accounts.
• Implement application controls to help manage and control the installation of software, including network scanners.
• Monitor system activity through heuristics-based triggers and alerts, which can aid in identifying the malicious install, use, and presence of unapproved tools and malicious activities on devices.
• Provide a dedicated software center, which allows employees to download approved software from a safe and monitored location. Dedicated and approved software can aid in detecting software, such as Advanced IP Scanner, that is installed from a third-party location outside of a dedicated center.

NetSupport Manager is a legitimate remote support tool that has been frequently abused by multiple threat actors (8). NetSupport RAT is a malicious spinoff of the legitimate NetSupport Manager that can:

• Transfer files,
• Remotely access compromised environments,
• Keylog, and
• Take control of system resources.

The Adversary Pursuit Group (APG) has previously detailed incidents that involved the likely use of NetSupport RAT, including multiple NetSupport RAT attacks during late June 2024 against Real Estate, Institutions & Organizations, and Industrials partners (9). The tool is used by multiple threat groups due to its availability and capabilities; therefore, post-incident attribution can be difficult.

The APG predicts that threat actors will very likely continue to use NetSupport RAT for persistence over the next 12 months.

We base this assessment on internal Blackpoint observed attacks which correspond to multiple external incident reports covering NetSupport RAT use.

For example, in March 2024, Perception Point researchers reported on a campaign, PhantomBlu, that involved the deployment of the NetSupport RAT (10). The threat actors delivered email messages that appeared to be from an accounting service, luring victims into downloading an attached Office Word file.

The APG recommends the following actions to help mitigate the use of NetSupport RAT for malicious activities.

• Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access, security training can help lower the risk of falling victim to download malicious software or legitimate tools for malicious actions.
• Minimize the use of – or implement strict controls on – scripting languages, which can limit a threat actors’ ability to leverage scripts for malicious actions on compromised end user accounts.
• Multifactor authentication (MFA) and VPN use where feasible, ensuring only identified and authorized employees can access sensitive data and resources with an additional level of credential authentication.
• Operate from a zero-trust mentality, which assumes that all requests to each resource are malicious, and encourages aggressive and continuous monitoring and management.

Active since at least 2019, AsyncRAT is a remote access trojan (RAT) whose capabilities include but are not limited to:

• Capture keystrokes on the victim’s machine,
• Gain persistence via scheduled tasks,
• View the screen, and
• Examine running processes (12).

Multiple threat groups use AsyncRAT, which makes attribution more difficult.

Finally, AsyncRAT is often distributed via:

• Email campaigns with malicious attachments,
• Infected ads on compromised websites, and
• Other malware variant drops.

The APG predicts that threat actors will likely continue to use AsyncRAT for persistence over the next 12 months.

This assessment is based on a wide range of Active SOC-observed attacks within Blackpoint-protected environments, including other publicly analyzed attacks on (13):

• An Industrials partner on June 13, 2024; and
• A Healthcare partner on April 22, 2024.

In addition to the APG’s own internal analysis, AsyncRAT makes frequent appearances in external security research, including:

• In January 2024, AT&T Alien Labs security researchers reported a campaign delivering AsyncRAT through an initial JavaScript file embedded in a phishing page (14), involving more than 300 samples and over 100 domains.
• In July 2024, eSentire security researchers reported several instances of users downloading the ScreenConnect remote access client, ultimately leading to AsyncRAT deployment (15).
  • In one case, a user downloaded the ScreenConnect instance from a compromised WordPress website, which redirected the user to a malicious site and eventually AsyncRAT’s download.

The APG recommends the following actions to help mitigate the deployment and use of AsyncRAT for persistence and exfiltration.

• Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority.
• Implement the practice of least privilege, which will help ensure regular user accounts are unable to install certain tools and conducting certain activities.
• Monitor system activity through heuristics-based triggers and alerts, which can help identify legitimate software being installed or used in suspicious or abnormal methods and identify behaviors.
• Require the use of secure password managers, disabling plaintext password storage and local password caching to make accessing passwords by threat actors from compromised accounts more difficult.

1. VirusTotal’s Repository: “45.141.87.16 (45.141.84.0/22)” by VirusTotal on 2024-07-17
2. Blackpoint Cyber’s Whitepaper: “Ratting Out Arechclient2” by Blackpoint Cyber on 2022-11
3. Advanced IP Scanner’s Website: “Advanced IP Scanner” by Famatech Corp. on N/A
4. Blackpoint Cyber’s Blog: “LuminousMoth, Tnega Malware, Advanced IP Scanner, RDP Abuse, and SolarMarker” by Blackpoint Cyber on 2024-07-11
5. Blackpoint Cyber’s Blog: “Vulnerable RMM Tools and Vulnerable Industries: Why Vigilance is Key” by Blackpoint Cyber on 2024-03-28
6. The HIPAA Journal’s Blog: “Health-ISAC Issues Warning Abuse of TeamViewer Remote Connectivity Software” by Steve Adler on 2024-06-28
7. “VirusTotal’s Repository: “hxxp://dfwreds.com/data.php?9351dfwreds[.]com” by VirusTotal on 2024-07-17
8. Vmware’s Blog: “NetSupport RAT: The RAT King Returns” by Alan Ngo; Abe Schneider; Fae Carlisle on 2023-11-20
9. Blackpoint Cyber’s Blog: “Brute Ratel, Advanced IP Scanner, and NetSupport RAT” by Blackpoint Cyber on 2024-06-28
10. Perception Point ‘s Blog: “Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT” by Areal Davidpur; Peleg Cabra on 2024-03-18
11. VirusTotal’s Repository: “193.26.115.78 (193.26.115.0/24)” by VirusTotal on 2024-07-17
12. MITRE’s Repository: “AsyncRAT” by MITRE on 2023-10-10
13. Blackpoint Cyber’s Blog: “AsyncRAT, NetSupport RAT, and VssAdmin Abuse for Shadow Copy Deletion” by Blackpoint Cyber on 2024-06-21
14. AT&T’s Blog: “AsyncRAT loader: Obfuscation, DGAs, decoys and Govno” by Fernando Martinez on 2024-01-05