NetSupport RAT Spreads Through Compromised WordPress Sites Using ClickFix Technique

The Cybereason Global Security Operations Center (GSOC) has uncovered a sophisticated campaign by threat actors who are exploiting compromised WordPress websites to distribute malicious versions of the legitimate NetSupport Manager Remote Access Tool (RAT).

This campaign, detailed in a recent report, employs phishing emails, PDF attachments, and even gaming websites to lure unsuspecting users into a multi-stage attack chain designed to deploy the NetSupport RAT payload.

Malicious Campaigns Leverage Phishing

The intricate use of malicious JavaScript and DOM manipulation techniques underscores the growing technical prowess of cybercriminals aiming to infiltrate systems for reconnaissance and further exploitation.

The attack begins when victims are redirected to a malicious WordPress site through one of the aforementioned delivery methods.

Threat actors embed malicious JavaScript within the site’s meta description and anchor tags, triggering the download of a script named “j.js” from domains like islonline[.]org.

This script, which varies depending ...