NetSupport Manager RAT

The NetSupport Manager RAT is a Remote Access Tool that provides remote admin features for multiple operating systems. Although the program isn't threatening inherently, some threat actors deploy Trojan variants of it for taking control of your computer. Users should disable Internet connections after infections and remove the NetSupport Manager RAT with their preferred anti-malware solutions immediately.

Not the Kind of Tool that Should Appear without Permission

The difference between Remote Access Tools and Remote Access Trojans can, unfortunately, be little more than how their installation takes place. A Windows-based RAT, the NetSupport Manager RAT, is showing just how much a normally-legal program can cause harm in the wrong hands. Threat actors of different campaigns are dropping weaponized versions of the NetSupport Manager RAT as primary payloads, with varying themes for heightening their success rates.

The NetSupport Manager RAT is compatible with Windows, macOS, Linux and various model device-based operating systems. Feature-wise, it may help remote administrators upload or download files, monitor services, record sessions of the client system and do other admin-based activities. In a threatening scenario, the NetSupport Manager RAT is, accordingly, well-suited to collecting information like passwords or installing additional threats on a computer.

Malware researchers see some distribution tactics for the weaponized versions of the NetSupport Manager RAT being highly-active in 2020, including:

• A COVID-19 or Coronavirus-themed attack uses fake situational reports as attachments in victim-customized e-mail messages. It includes an embedded macro that drops the NetSupport Manager RAT after the recipient enables it.
• The above is a possible update to an earlier campaign using a different topic for similar phishing e-mails. In this case, the threat actor disguises the activation prompt as being a password request, a la NortonLifeLock. The infection doesn't occur with an incorrect password input.
• However, there also are cases that buck any dependency on e-mail. A separate series of attacks use in-browser exploits, courtesy of Domen – a toolkit that helps threat actors with compromising and modifying legitimate websites. Most Domen attacks focus on fake update packages, such as Flash, for dropping the NetSupport Manager RAT or another payload.

Keeping the Risk of Riskware Down Low

Because users can endanger themselves even by surfing on 'safe' sites, mitigating the noted distribution exploits requires good security behavior as a default matter of habit. Installing software updates, ignoring unofficial update prompts, and leaving high-risk features like JavaScript off will help prevent most drive-by-downloads. Admins also should be notified of any site compromises, whether the incident is due to Domen or another threat.

E-mails also are sources of security risks for business entities, especially. Worker training on the signs of phishing attacks and appropriate response protocols can limit the spread of weaponized versions of the NetSupport Manager RAT and other high-level threats. In most of these attacks, the abuse of e-mail attachments or obfuscated links to downloads is a standard operating procedure.

Because it's a legitimate program, users shouldn't assume that every installation of the NetSupport Manager RAT is threatening. They only should allow their anti-malware products to isolate or delete the NetSupport Manager RAT after confirming that its presence is non-consensual.

Most anti-malware suites will flag the NetSupport Manager RAT as a form of 'riskware,' or risky software. That descriptor is incredibly accurate for a program that can collect data or download Trojans without issues, even if the NetSupport Manager RAT has a history of legitimate business dealings.