Malicious websites impersonating Gitcode and DocuSign have been used to facilitate NetSupport RAT malware delivery as part of a new attack campaign, The Hacker News reports.
Social engineering tactics via email or social media may have been leveraged to lure targets into visiting the fake websites, according to an analysis from the DomainTools Investigations team. While the counterfeit Gitcode sites contained PowerShell scripts enabling additional script downloads to eventually launch NetSupport RAT, bogus DocuSign sites were found to have employed ClickFix-like CAPTCHA verifications to download a pair of PowerShell scripts leading to malware deployment. "The multiple stages of scripts downloading and running scripts that download and run yet more scripts is likely an attempt to evade detection and be more resilient to security investigations and takedowns," said researchers, who also observed similarities between the new attack and the SocGholish campaign, also known as FakeUpdates, last October.
Social engineering tactics via email or social media may have been leveraged to lure targets into visiting the fake websites, according to an analysis from the DomainTools Investigations team. While the counterfeit Gitcode sites contained PowerShell scripts enabling additional script downloads to eventually launch NetSupport RAT, bogus DocuSign sites were found to have employed ClickFix-like CAPTCHA verifications to download a pair of PowerShell scripts leading to malware deployment. "The multiple stages of scripts downloading and running scripts that download and run yet more scripts is likely an attempt to evade detection and be more resilient to security investigations and takedowns," said researchers, who also observed similarities between the new attack and the SocGholish campaign, also known as FakeUpdates, last October.
