We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
TrojanDownloader:JS/NetSupport!MTB
Aliases: No associated aliases
Summary
TrojanDownloader:JS/Netsupport!MTB is a malicious JavaScript file that is used to download and install components of the NetSupport Manager remote access tool. This variant specifically detects the downloader component itself, which downloads the final malicious payload. It is delivered via compromised websites, advertisements, or phishing emails containing a fraudulent link and it requires the user to click to initiate the infection process.
The main purpose of the script is to serve as an initial access vector that uses obfuscated code to download and launch either the TrojanDownloader:JS/NetSupportRat!MTB (the main malware component), or other second-stage payloads. The "!MTB" suffix is an indicator that the detection was generated using a machine-learning based tree-based algorithm trained on behavioral patterns and attributes typical of downloader-type threats.
- Disconnect from the network to prevent lateral movement or data exfiltration.
- Use Task Manager to end tasks related to wscript.exe, cscript.exe, or client32.exe.
- Delete registry keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
- Remove scheduled tasks created by Javascript.
- Erase all files in %AppData%\Roaming\ subdirectories, including client32.exe, DLLs, and configuration files.
- If critical files were modified, restore from clean backups after eradication.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
