Advisory ID: NCC-CSIRT-0901-002
Summary:
Cybersecurity analysts at ASEC (South Korea’s cybersecurity emergency response centre), discovered a NetSupport RAT malware being distributed by threat actors from a phishing web site disguised as a popular Pokemon card game. The malware serves as a remote access tool that easily takes control over victims' PCs (Personal Computers). Moreover, the malware may allow the attackers to remotely control the compromised computer’s mouse and keyboard, access the system’s file management and history and even execute commands allowing them to install additional malware.
Vulnerable Platform(s):
Windows Operating System
Threat Type:
- Malware
- Phishing
Product : Windows-Based PCs
Version: All Versions
Description: According to the researcher, the CRAFTED website that spread the malware is still online. It claims to be home to a new NFT card game built around the Pokemon franchise, offering users strategic fun together with NFT investment profits. Attackers first make an effort to get victims to install the NetSupport Manager. This is a remote-control tool that allows one to remotely control another PC that has the software installed. Threat actors take advantage of the fact that the NetSupport Manager is a legitimate piece of software since it makes it easier for them to avoid detection by security tools. The NetSupport RAT executable and its dependencies are installed in a new folder following a successful installation. They are set to "hidden" to prevent victims who manually inspect the file system from detecting them. Additionally, the installer adds an entry to the Windows Startup folder so that the RAT will run when the system boots. Consequently, the threat actors can now remotely connect to a user's device to steal data, install other malware, or even attempt to spread further on the network.
Consquences:
- Unauthorized access to sensitive user data and downloading further malware
Impact/Probability: HIGH/MEDIUM
Solution :
- You should only purchase or download applications from official websites.
- Do not open attachments in suspicious emails.
References:
- https://www.bleepingcomputer.com/news/security/hackers-push-fake-pokemon-nft-game-to-take-over-windows-devices/?traffic_source=Connatix \
- https://asec.ahnlab.com/en/45312/
- https://cointelegraph.com/news/nifty-news-fake-pokemon-nft-game-spreads-malware-jai-ho-singer-to-launch-metaverse-and-more
- https://www.lowyat.net/2023/291903/hackers-fake-pokemon-nft-card-game-take-over-pcs/