Devos Ransomware, RDP, and NetSupport RAT

Remote Desktop Protocol (RDP)

Remote Desktop Protocol (RDP) is a protocol that allows users to use a desktop remotely, often used for two legitimate professional purposes:

1. Remote Desktop Access: Users can utilize remote access to their physical desktop computer from another device.
2. Remote Administration: Users can perform remote administrative work by accessing the device.

However, threat actors can abuse RDP to move laterally through compromised networks. They initially target RDP on victim endpoints through a variety of methods (1), including:

• Hijacking legitimate RDP sessions;
• Using accessibility features, such as Sticky Keys;
• Brute force attacks;
• Malware specifically designed to target and take over RDP; and
• Protocol tunneling.

Net.exe

Net.exe is the net command, which allows users to view and manage (2):

• Network shares,
• User accounts,
• Group memberships,
• Services, and
• Print queues.

Blackpoint Active SOC analysts, the APG, and other researchers have seen threat actors using the Net.exe command to enumerate domains and user accounts as part of a “living off the land” (LotL) strategy, abusing allowlisted applications to mask malicious activity and evade AV and EDR solutions. Once enumerated, threat actors can then use them for lateral movement to more strategic endpoints during a cyberattack.

The APG predicts that threat actors will very likely continue to use the Net.exe command and remote desktop protocol (RDP) for lateral movement over the next 12 months.

We base this assessment on the APG’s previous research tracking 37 ransomware operators that abuse the “net” command to discover user accounts, domain accounts, and more for lateral movement and privilege escalation during reported incidents from the Blackpoint Active SOC managed environment. An additional 29 ransomware operations that have been observed abusing RDP for lateral movement.

Other external researchers have also observed similar behaviors in their environments and incidents, as well. In 2024, for example, Trend Micro researchers observed Black Basta ransomware operators using the “net” command during an attack. Specifically, they used:

• “net.exe group “Domain Admins” /domain”,
• “nltest.exe /domain_trusts /all_trusts”, and
• “net.exe localgroup Administrators Adminis /add”

– to enumerate domain admin accounts, domain trusts, and add new users to the local administrators group. (3)

Blackpoint APG recommends the following actions to help mitigate the malicious use of these legitimate tools.

• Least-privilege access controls, to help ensure that users only have access to the data and resources required to complete their job functions.
• Multifactor authentication (MFA) enforced on all user accounts – but especially those with privileged access – to help decrease the chances of undetected credential compromise.
• Establishing adequate firewall rules, including restricting access to port 3389 and blocking RDP traffic between network security zones.
• Incident response plan (IRP) creation, testing, and implementation when necessary. IRPs should include emergency processes for data backup and restoration; notification processes – including internal and external partners, team members, and law enforcement; and ensuring business continuity.

The NetSupport RAT (Remote Access Trojan) is a version of the legitimate NetSupport Manager, which is a remote support application. The NetSupport RAT is a versatile tool that allows threat actors to act in multiple ways, including:

• Monitoring user behaviors,
• Keylogging,
• Transferring or exfiltrating files,
• Taking control of system resources, and / or
• Moving laterally to other devices connected on the network.

NetSupport RAT is often downloaded via fake websites and fake browser updates; however, initial access vectors vary depending on the group using the malware. In 2023, for example, an unknown threat group conducted a campaign delivering the NetSupport RAT by tricking users into downloading fake Google Chrome updates – very similar to the attack vector for this incident. The infected website hosted a PHP script that appeared to be a legitimate Chrome update. In this incident, “Update_browser_10.6336.js” was the downloaded payload from the fake browser update. (4)

As the NetSupport RAT is both used legitimately (as NetSupport Manager) and as a RAT, it is difficult to spot by traditional AV or EDR solutions, and is not restricted in use to a single threat actor or group, making attacker attribution more difficult.

The APG predicts that threat actors will likely continue to use remote access trojans, such as the NetSupport RAT, specifically for persistence over the next 12 months.

We base this assessment on recent and varied threat actor use of the tool in multiple industries and situations:

• In January 2024, eSentire reported a NetSupport RAT campaign spread via fake browser updates (5).
• In March 2024, Perception Point researchers reported a new “Operation PhantomBlu” threat campaign, which featured a NetSupport RAT campaign delivered via social engineering messages with malicious attachments (6).

Blackpoint APG recommends the following actions to help mitigate the deployment and use of NetSupport RATs and similar malware by threat actors.

• Multifactor authentication (MFA) and VPN use where feasible to ensure only identified and authorized employees can access sensitive data and resources with an additional level of credential authentication.
• Employ heuristics-based activity monitoring and remediation to detect unusual user behaviors and activities that could indicate malicious activity or compromised accounts within the managed environment that would otherwise be missed by more traditional security solutions, such as AV or EDR.
• Provide a dedicated software center to guarantee employees can easily access the applications and updates required for their jobs from a safe and monitored location… without forcing them to “go rogue” and accidentally download malware from a malvertising or SEO poisoned instance.

The Blackpoint APG and other security researchers have assessed the Devos ransomware package as a variant of the older Phobos ransomware family, active since 2019.

Similar to previous incidents described in this analysis, researchers have seen Devos ransomware operators historically using the Remote Desktop Protocol (RDP) for lateral movement during reported incidents (7), which is in line with the APG’s assessment of overall recent ransomware landscape threat activity trends.

The APG predicts that threat actors will almost certainly continue to use Devos ransomware over the next 12 months.

We base this assessment on internal incident report analysis of Blackpoint Active SOC incident reports of managed environments, as well as recent external reports of more active use of the ransomware package.

Specifically, in May 2024, Trend Micro researchers reported that Phobos ransomware was the second most detected ransomware operation in Q1 2024, following the LockBit operation (8).

At a strategic level, ransomware in general has repeatedly posed a critical threat to organizations worldwide over the previous decade, with attacks increasing year over year, per the APG’s own internal tracking and analysis.

Despite law enforcement and government attention and disruption, ransomware operators have little incentive to cease operations. Additionally, many groups that shut down operations or are disrupted by law enforcement operations return to the landscape with rebranding or under the affiliate program of another group, which was evidenced in the recent criminal cases of:

• REvil (9),
• Conti (10),
• LockBit (11),
• ALPHV / BlackCat (12), and others.

Therefore, it is practically certain that ransomware operators and affiliates will continue to target organizations across all verticals, continuing to abuse RDP, Vssadmin, and similar legitimate services and tools over the next 12 months.

Blackpoint APG recommends the following actions to help mitigate the deployment of ransomware overall. (Note that these mitigations are not specific to any ransomware operation, as many criminal gangs demonstrate similar behaviors. By employing these techniques, you should greatly reduce your exposed attack surface to many ransomware attempts – not simply that of Devos.)

• Employee security training remains a strong “insurance policy” of sorts for your most exposed security liabilities: your end users. They must repeatedly be exposed to what basic phishing and malvertising lures look like, and be more cautious about opening email attachments or clicking on sponsored ads in search results.
• Create and maintain data backups, including offline backups that are kept separate from the network and system. Should your system suffer a lockout from a ransomware attempt, your uncorrupted and easily reinstated data backups become a key part of your business continuity plan to resume regular operations.
• Least-privilege access controls help ensure that users only have access to the data and resources required to complete their job functions, making it harder for threat actors to move laterally within the infected environment to more desireable targets.
• Regularly audit both environment and endpoints to identify weak points, apply necessary patching requirements, and close potential infection paths.

1. ReliaQuest’s Blog: “Scattered Spider Attack Analysis” by James Xiang on 2023 November 21
2. Blackpoint Cyber’s Blog: “How RDP Attacks Go Down” by Blackpoint Cyber on 2022 May 31
3. SpyShelter’s Blog: “What’s net.exe (Net Command)? Is it safe or a virus?” by SpyShelter on 2024 February 15
4. Trend Micro’s Blog: “Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities” by Ian Kenefick, Junestherry Dela Cruz, and Peter Girnus on 2024 February 27
5. Vmware’s Blog: “NetSupport RAT: The RAT King Returns” by Alan Ngo, Abe Schneider, and Fae Carlisle on 2023 November 20
6. eSentire’s Blog: “SmartApeSG Delivering NetSupport RAT” by eSentire Threat Response Unit (TRU) on 2024 January 18
7. Perception Point’s Blog: “Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT” by Ariel Davidpur and Peleg Cabra on N/A
8. 360 Total Security’s Blog: “Analysis of Ransomware Outbreak in March 2020” by kate on 2020 April 28
9. Trend Micro’s Blog: “PHOBOS EMERGES AS A FORMIDABLE THREAT IN Q1 2024, LOCKBIT STAYS IN THE TOP SPOT” by Trend Micro on 2024 May 07
10. Secure MSP’s Blog: “REvil ransomware gang returns after two-month hiatus” by Eric Swotinsky on 2021 September 17
11. Global Initiative’s Blog: “The rise and fall of the Conti ransomware group” by Jack Meegan-Vickers on 2023 June 27
12. U.S. DoJ’s Press Release: “U.S. and U.K. Disrupt LockBit Ransomware Variant” by Office of Public Affairs on 2024 February 20
13. U.S. DoJ’s Press Release: “Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant” by Office of Public Affairs on 2023 December 19