Remote-access Guide

netsupport remote access arrested

by Prof. Gerson Daugherty Published 3 years ago Updated 2 years ago
image

What is the NetSupport Manager remote access Tool (RAT) campaign?

A campaign that has been active for the past few months has been leveraging compromised websites to spread fake software updates that in some cases delivered the NetSupport Manager remote access tool (RAT), FireEye reports. A commercially available RAT, NetSupport Manager is employed by administrators for remote access to client computers.

How do I remote control the NetSupport Manager?

On each machine you want to remote control, you’ll need to install the NetSupport Manager Client. And on any machine you wish to remote control from, you install the Control. Simple!

What is NetSupport Manager?

What is NetSupport Manager? The NetSupport Manager program is categorized as a Remote Access Tool (RAT). Like most programs of this type, it allow users to access computers, workstations, and servers locally and remotely.

How do I configure NetSupport DNA Gateway server remote control?

Open the NetSupport DNA Console and in the Settings tab, click Manage existing profiles. Select the required Profile. Click Settings and select Remote Control. Enter in the External gateway address field the Public IP address or DNS name for the DNA Gateway Server.

image

What is NetSupport client used for?

NetSupport Manager is a Windows-centric cross-platform remote control software, allowing remote screen control and systems management from a Windows or Windows Mobile device of Windows, Mac, Linux, Solaris and Mobile devices. It was first released for DOS only networks in 1989.

How do I disable NetSupport?

How to uninstall NetSupport School completelyMethod 1: Uninstall NetSupport School with a third-party uninstaller.Method 2: Uninstall NetSupport School via Apps and Features/Programs and Features.Method 3: Uninstall NetSupport School with its uninstaller.exe.Method 4: Uninstall String with Run.

How did NetSupport Manager infiltrate my computer?

Cyber criminals trick people into downloading and installing this tool using fake Google Chrome, Mozilla Firefox, Flash Player (and other) updaters. These programs are disguised as legitimate update tools, however, rather than downloading and installing updates, they download and install unwanted software, in this case the NetSupport Manager.

How to avoid installation of malware?

Update software using implemented, official tools that are provided by software developers only. Download software from official websites and using direct links. Do not use the other channels mentioned above. Do not open attachments (or web links) that are presented in irrelevant emails or that are received from unknown, suspicious email addresses.

How to prevent computer viruses?

Avoid using software cracking tools, since this is a cyber crime and often causes computer infections. Have reputable anti-virus or anti-spyware software installed and enabled - this can detect harmful files before they do any damage. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Can NetSupport Manager be used to move files?

Therefore, users can move files from one computer to another. NetSupport Manager users are also offered some other features. As we mentioned above, these tools are often used by cyber criminals with malicious intent. If installed on a computer without users' knowledge, it can be used to steal personal information.

What is NetSupport Manager?

Designed to operate over your LAN, WAN or the internet, securely and without the need for firewall configuration, NetSupport Manager provides a single, high speed solution for the remote management of multi-platform computers – without the need for a third-party service or ongoing subscription costs.

What makes NetSupport Manager unique?

What makes NetSupport Manager unique is its range of supporting tools to ensure maximum efficiency and, most importantly, the minimum level of system downtime and lost productivity as support issues are being addressed – making it the perfect tool of choice for any IT team.

Is NetSupport Manager a good product?

NetSupport Manager is just a great product. It does what it says it does, without any hassle.

What is NetSupport Manager?

NetSupport Manager’s extended audio support allows one-way talk, listen or full bi-directional audio conversations (both within and outside of a remote control session), as well as seamless streaming of the remote PC’s audible application sounds. Audio support is available over all LAN/WAN and internet-based communications.

Can end users send help requests to helpdesk?

End users can also, when enabled, send help requests directly to your helpdesk when they need assistance. The help request can either be sent to all available operators, or directed to specific operators based on user-defined accounts. Incoming requests are displayed within the NetSupport Manager Control user interface.

Can you have two way chats in NetSupport Manager?

Within NetSupport Manager, a user can conduct a two-way chat session between any number of selected users in either text or full audio mode.

How many components are there in NetSupport Manager?

At its simplest, there are just three components on NetSupport Manager you need to know about. On each machine you want to remote control, you’ll need to install the NetSupport Manager Client. And on any machine you wish to remote control from, you install the Control. Simple!

How to connect to a Gateway?

So how do you get ready to work remotely? 1 Start by setting up the Gateway. This can be installed on any PC (within our specifications) with a static IP address or a dynamic DNS, depending on how you wish to access it. You can refer to our detailed setup guide here. 2 Run the Gateway installer on the selected PC. 3 Make sure it’s listening on all interfaces. We recommend changing to our dedicated port – see guide. 4 To make your version of NSM unique to your organisation, you can set a Gateway key. This means that only devices within your organisation with a matching key can access your Gateway. 5 Once the key is applied, click OK, and it’s done! 6 To access your Gateway remotely, either configure your router with simple port forwarding so you can access it from an external address – or locate it on your DMZ. See guide for details.

image

Infection Vector

  • The operator behind these campaigns uses compromised sites to spread fake updates masquerading as Adobe Flash, Chrome, and FireFox updates. When users navigate to the compromised website, the malicious JavaScript file is downloaded, mostly from a DropBox link. …
See more on mandiant.com

In-Depth Analysis of Javascript

  • The initial JavaScript file contains multiple layers of obfuscation. Like other malicious scripts, the first layer has obfuscation that builds and executes the second layer as a new function. The second layer of the JavaScript contains the decfunction, which is used to decrypt and execute more JavaScript code. Figure 2 shows a snapshot of the second layer. In the second JavaScript …
See more on mandiant.com

Conclusion

  • RATs are widely used for legitimate purposes, often by system administrators. However, since they are legitimate applications and readily available, malware authors can easily abuse them and sometimes can avoid user suspicion as well. The FireEye HX Endpoint platform successfully detects this attack at the initial phase of the attack cycle.
See more on mandiant.com

Acknowledgement

  • Thanks to my colleagues Dileep Kumar Jallepalli, Rakesh Sharma and Kimberly Goody for their help in the analysis.
See more on mandiant.com

Indicators of Compromise

  • Registry entries HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run : ManifestStore HKCU\Software\SeX\KEx Files %AppData%\ManifestStore\client32.exe %AppData%\ManifestStore\client32.ini %AppData%\ManifestStore\HTCTL32.DLL %AppData%\ManifestStore\msvcr100.dll %AppData%\ManifestStore\nskbfltr.inf %AppData%\M…
See more on mandiant.com

What Kind of Software Is NetSupport Manager?

Image
The NetSupport Manager program is categorized as a Remote Access Tool (RAT). Like most programs of this type, it allow users to access computers, workstations, and servers locally and remotely. This is legitimate software that can be used by anyone, however, RATs are often misused by cyber criminals for malicious purpos…
See more on pcrisk.com

More About NetSupport Manager

  • Typically, cyber criminals use various ways to trick people into downloading remote access tools so that they can steal information/personal data and use it to generate revenue. NetSupport Manager is capable of monitoring systems and viewing all connected workstations in real time simultaneously. In summary, it can be used to monitor computing acti...
See more on pcrisk.com

Examples of Other Rats

  • There are a number of RATs available, and often they are legitimate tools. Some examples of other RATs are Orcus, Agent Tesla, Imminent Monitor, and CrimsonRAT. Note that cyber criminals often use these tools for malicious purposes (to steal information, cause computer infections, and so on).
See more on pcrisk.com

How Did NetSupport Manager Infiltrate My computer?

  • Cyber criminals trick people into downloading and installing this tool using fake Google Chrome, Mozilla Firefox, Flash Player (and other) updaters. These programs are disguised as legitimate update tools, however, rather than downloading and installing updates, they download and install unwanted software, in this case the NetSupport Manager. They also proliferate this RAT throug…
See more on pcrisk.com

How to Avoid Installation of Malware?

  • Update software using implemented, official tools that are provided by software developers only. Download software from official websites and using direct links. Do not use the other channels mentioned above. Do not open attachments (or web links) that are presented in irrelevant emails or that are received from unknown, suspicious email addresses. Avoid using software cracking t…
See more on pcrisk.com

How to Remove Malware manually?

  • Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicio…
See more on pcrisk.com

Frequently Asked Questions

  • My computer is infected with malware, should I format my storage device to get rid of it? Usually, malware can be removed without formatting the storage device. A detailed removal guide is provided above. What are the biggest issues that malware can cause? It may lead to identity theft, financial losses, data encryption, decreased computer performance, further infections, and othe…
See more on pcrisk.com

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9