Trojan:VBS/NetSupportRat!MTB

The initial compromise for this threat often begins with a phishing campaign, where attackers distribute emails containing deceptive attachments. These attachments are typically ZIP archives that include a malicious VBScript file, which may be disguised with a double extension to appear harmless. When launched, the script may display a decoy document, such as a fake invoice or product list, to distract the user while malicious activities occur in the background. The VBScript itself is heavily obfuscated to evade signature-based detection and employs various environmental checks to avoid analysis in virtualized or sandboxed environments. 

The script then initiates a series of actions to retrieve the primary payload. It often leverages built-in Windows utilities like certutil or PowerShell to download additional components from a remote server. The downloaded file is usually a compressed archive, such as payload.zip, hosted on a compromised domain or attacker-controlled server. This archive is extracted into a dynamically generated directory within the user's AppData\Roaming folder, often using a generic or seemingly legitimate name like MediaPlayer or SystemUpdate to blend in with legitimate software. 

The extracted contents comprise the NetSupport RAT toolkit, which includes the core binary client32.exe, essential support libraries like HTCTL32.DLL and PCICL32.DLL, and a configuration file client32.ini that specifies communication parameters for the command-and-control server. A license file, NSM.lic, is also present to bypass validation checks within the NetSupport software. To maintain persistence, the malware modifies the Windows Registry by creating a new entry in the HKEY_CURRENT_USER\Software\Microors include domains like kgscrew[.]com and IP addresses such as 5[.]252.177[.]111. After a successful connection, threat actors deploy additional tools, such as OpenSSH for alternative access channels, credential harvesters like ProcDump targeting LSASS memory, or lateral movement frameworks such as Impacket. soft\Windows\CurrentVersion\Run key, using a name that mimics the installation directory, such as SystemUpdate, which points to the client32.exe path. Once installed, the RAT establishes outbound communication to its C2 infrastructure, typically over port 443 to mimic regular HTTPS traffic.