Security Alert: New Method for NetSupport RAT Deployment Uncovered
A recent sophisticated campaign highlights a concerning new technique utilized by threat actors to distribute the powerful remote access trojan, NetSupport RAT. This method leverages compromised legitimate websites, specifically those running WordPress, and exploits a weakness within a widely used plugin, ClickFix, to deliver malware, posing a significant threat.
The attack chain begins with attackers compromising vulnerable WordPress sites. Once inside, they inject malicious scripts, often disguised, into the website’s files or database. When unsuspecting visitors browse these compromised sites, the injected code triggers a malicious redirect or download action.
A critical element in this particular campaign is the exploitation of the ClickFix plugin. Threat actors have found a way to weaponize this plugin, turning it into a vector for malware delivery. By manipulating how the plugin functions or through vulnerabilities within the plugin itself, they can force visitors’ browsers to download or execute malicious payloads, including the NetSupport RAT. This represents a form of supply chain attack, targeting users through a trusted component (the website and its plugins) rather than directly.
NetSupport RAT is a dangerous tool because it allows attackers extensive control over the infected computer. Capabilities typically include logging keystrokes, capturing screenshots, accessing files, and executing commands remotely, enabling data theft, espionage, or further malicious activities.
This campaign underscores the critical need for robust website security practices, particularly for those running WordPress. Regularly updating themes and plugins, using strong passwords, implementing firewalls, and monitoring website traffic are essential steps. Website administrators should immediately check for unauthorized code injections and ensure all software, especially plugins like ClickFix, are patched to the latest versions.
For users, the best defense involves vigilance. Be cautious when visiting unfamiliar websites, ensure your operating system and browser are updated, and maintain a reputable antivirus solution that is actively scanning for threats. The use of an ad-blocker can also sometimes prevent malicious scripts from executing. This new deployment method serves as a stark reminder that attackers are constantly innovating, requiring continuous attention to cybersecurity best practices.
Source: https://www.cybereason.com/blog/net-support-rat-wordpress-clickfix
