Threat Hunter is using deceitful websites to warn new campaigns that will trick unsuspecting users into running malicious PowerShell scripts on their machines and infecting them with malware on net support rats.
The Domaintools Investigations (DTI) team said they have identified a “malicious multistage downloader PowerShell script” hosted on a Lure website poses as Gitcode and Docusign.
“These sites try to trick users into copying and running the first PowerShell script with the Windows Run command,” the company says in a technical report shared with Hacker News.
“In doing so, the PowerShell script will download another downloader script and run it on the system. This will get the additional payload and eventually install the net support rat on the infected machine.”
These counterfeit sites are believed to be possible to be propagated through email and social engineering attempts via social media platforms.
Hosted on fake Gitcode sites, PowerShell scripts are designed to download a series of intermediate PowerShell scripts from an external server (“TradingViewTool(.)com”) that is used consecutively to launch net support rats on the victim machine.
Domaintools has also identified several websites (docusign.sa(.)com) that spoof Docusign to provide the same remote access Trojan, but with a twist, using Clickfix-style Captcha validation to run malicious PowerShell scripts using victims on dupe victims.
Like the recently documented attack chain that offers Eddiestealer Infostealer, users who land on the page are asked to prove that they are not robots by completing the check.
Triggering a Captcha validation will secretly copy obfuscated PowerShell commands to the user’s clipboard (a technology known as clipboard addiction).
The PowerShell script downloads Persistence Script (“wbdims.exe”) from GitHub and works, ensuring that the payload is automatically launched when the user logs in to the system.
“This payload has become unavailable during the investigation, but what we can expect is to check in to the delivery site via ‘docusign.sa(.)com/verification/c.php’,” Domaintools said. “Thus, it will trigger an update in the page’s browser and display the content in ‘docusign.sa(.)com/verification/s.php?an = 1.” ”’ ”com/verification/s.php.”
This will deliver a two-stage PowerShell script and download and run a three-stage ZIP payload from the same server by setting the URL parameter “AN” to “2.” The script unpacks the archive and runs an executable file named “jp2launcher.exe” that resides within it, which ultimately leads to the deployment of the net support rat.
“The multiple stages of scripts that download and run download and run scripts are likely to be attempts to avoid detection and increase resilience through security investigations and takedowns,” the company said.
It is not clear who is currently behind the campaign, but Domaintools noted that they have identified similar distribution URLs, domain naming and registration patterns in connection with the Socgholish (Aka fakeUpdates) campaign detected in October 2024.
“The technologies involved are particularly common and NetSupport Managers are legitimate management tools known to be utilized as rats by multiple threat groups such as FIN7, Scarlet Goldfinch, and Storm-0408.”
