A sophisticated new, multi-stage malware attack campaign, identified as JS#SMUGGLER, is actively being used to deliver the potent NetSupport Remote Access Trojan (RAT) to unsuspecting victims. This stealthy operation leverages hidden web-based redirects and heavily obfuscated JavaScript code to gain full system control, posing a significant threat to cybersecurity.
The threat campaign, detailed by Securonix security researchers, employs a three-stage infection chain designed to meticulously evade detection at every step. Beginning with a compromised website, a malicious JavaScript loader initiates the process, paving the way for deeper system compromise through encrypted commands and the eventual deployment of the NetSupport RAT.
JS#SMUGGLER Malware Attack Delivers NetSupport RAT
The JS#SMUGGLER campaign represents a concerning advancement in malware delivery techniques. Researchers observed that the initial JavaScript loader is injected into legitimate, but compromised, websites. Its primary function is to prepare the ground for subsequent stages of the attack by employing advanced obfuscation methods. These include techniques like numeric index mapping and rotating arrays, which effectively scramble and hide the malicious code from standard security scans.
One of the distinguishing features of this operation is its adaptive payload delivery. The malware actively checks the type of device a victim is using. This allows the attackers to tailor the malicious payload delivered to mobile devices versus desktop systems, optimizing exploit effectiveness for each platform. The ongoing maintenance and optimization of this malware framework highlight the attackers’ commitment to remaining undetected on infected systems.
Infection Mechanism and Attack Chain
Upon execution in the victim’s browser, the JavaScript loader operates with a high degree of stealth. It meticulously sets up rotating arrays of scrambled text and waits for the webpage elements to load fully before activating. This careful timing is crucial for its evasion strategy.
Following device detection, the loader creates either a full-screen, hidden iframe for mobile users or loads a remote script for desktop users. Crucially, it utilizes the browser’s local storage to record whether a system has already been infected. This prevents the script from running multiple times on the same machine, significantly reducing the likelihood of triggering security alerts.
This methodical approach enables the attackers to dynamically construct malicious web addresses. These custom URLs are then used to fetch the next stage of the attack from domains under their control, such as stoneandjon.com and boriver.com. The ability to generate these URLs on-the-fly adds another layer of complexity to tracking and blocking the campaign.
Stage Two: The HTA File and PowerShell Execution
The second stage of the infection typically arrives as an HTML Application (HTA) file. Attackers frequently exploit mshta.exe, a legitimate Windows program, to execute these HTA files. This allows the malicious script to run in a completely hidden manner from the user’s perspective.
The HTA file’s primary action is to write an encrypted PowerShell script into the computer’s temporary folder. This script is heavily protected using a combination of AES-256-ECB encryption, Base64 encoding, and GZIP compression. These methods are employed to mask the script’s true malicious intent from any form of static analysis.
Upon decryption and decompression, the payload is designed to execute directly within the computer’s memory. This “fileless” execution technique is particularly effective against traditional antivirus solutions, as it leaves no suspicious files on the disk for scanning. After its execution, the script diligently removes any temporary files it created to further obscure evidence of the attack.
Stage Three: NetSupport RAT Deployment
The final PowerShell payload is responsible for downloading the NetSupport RAT components. These are typically packaged within a ZIP archive retrieved from an attacker-controlled server, such as kindstki.com.
Once the archive is downloaded, the script extracts its contents into a directory named CommunicationLayer, located within the ProgramData folder. This location is chosen to appear innocuous, blending in with legitimate application data. The malware then initiates the execution of the extracted client32.exe file, employing a hidden JScript wrapper to obscure the actual process chain.
To ensure persistent access to the compromised system, the attackers create a shortcut file named WindowsUpdate.lnk within the Startup folder. This shortcut ensures that the NetSupport RAT automatically launches every time the victim logs into their computer, effectively granting the attackers continuous remote control.
NetSupport RAT Capabilities and Mitigation
NetSupport RAT is a powerful remote access tool that provides attackers with comprehensive control over infected systems. Its capabilities include full desktop control, the ability to perform file operations, execute commands remotely, steal sensitive data, and establish network tunnels. The malware is designed to avoid the need for administrator privileges by installing at the user level and using deceptive naming conventions for its components to mimic legitimate Windows functions.
Organizations are strongly advised to bolster their cybersecurity defenses against such sophisticated attacks. Key mitigation strategies include blocking untrusted script execution, enabling robust PowerShell logging for forensic analysis, restricting the execution of mshta.exe where possible, and deploying behavioral detection tools. These advanced tools are crucial for identifying suspicious process chains and fileless execution techniques characteristic of the JS#SMUGGLER campaign.
Further research into the specific command-and-control infrastructure and the full scope of compromised websites is expected. Security professionals will continue to monitor for updates and variations of the JS#SMUGGLER framework, as well as the evolving tactics used to deploy NetSupport RAT and other potent remote access tools.