Experts Confirm Js#smuggler Uses Compromised Sites To Deploy...
Cybersecurity researchers are calling attention to a new campaign dubbed JS#SMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT.
The attack chain, analyzed by Securonix, involves three main moving parts: An obfuscated JavaScript loader injected into a website, an HTML Application (HTA) that runs encrypted PowerShell stagers using "mshta.exe," and a PowerShell payload that's designed to download and execute the main malware.
"NetSupport RAT enables full attacker control over the victim host, including remote desktop access, file operations, command execution, data theft, and proxy capabilities," researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said.
There is little evidence at this stage to tie the campaign to any known threat group or country. The activity has been found to target enterprise users through compromised websites, indicative of a broad-strokes effort.
The cybersecurity company described it as a multi-stage web-based malware operation that employs hidden iframes, obfuscated loaders, and layered script execution for malware deployment and remote control.
In these attacks, silent redirects embedded into the infected websites act as a conduit for a heavily scrambled JavaScript loader ("phone.js") retrieved from an external domain, which then profiles the device to determine whether to serve a full-screen iframe (when visiting from a mobile phone) or load another remote second-stage script (when visiting from a desktop).
The invisible iframe is designed to direct the victim to a malicious URL. The JavaScript loader incorporates a tracking mechanism to ensure that the malicious logic is fired only once and during the first visit, thereby minimizing the chances of detection.
"This device-aware branching enables attackers to tailor the infection path, hide malicious activity from certain environments, and maximize their success rate by delivering platform-appropriate payloads while avoiding unnecessary exposure," the researchers said.
The remote script downloaded in the first stage of the attack lays the foundation by constructing at runtime a URL from which an HTA payload is downloaded and executed using "mshta.exe." The HTA payload is another loader for a temporary PowerShell stager, which is written to disk, decrypted, and executed directly in memory to evade detection.
Furthermore, the HTA file is run stealthily by disabling all visible win
Source: The Hacker News
