Threat actors are distributing the NetSupport remote access tool and taking control of victims’ devices via a well-crafted Pokemon NFT card gaming site. The website “pokemon-go[.]io,” which is still up and running as of this writing, claims to be the home of a new NFT card game based on the Pokemon franchise, giving users strategic fun well as NFT investment profits. Hackers use a fraudulent Pokemon NFT game to hack Windows devices.
Given the widespread use of both Pokemon and NFTs, the technicians of the malicious portal should have no trouble attracting visitors to the site via malspam, online posts, and other means.
Those who click the “Play on PC” buttons are directed to an executable that appears to be a legitimate game installer but installs the NetSupport remote access tool (RAT) on the targeted computer.
Analysts at ASEC discovered the operation, and according to them, there was also a 2nd site used during the advertisement, at “beta-pokemoncards[.]io,” which has since been taken offline.
The first signs of this campaign’s activity appeared in December 2022. Previous samples obtained from VirusTotal revealed that the same technicians pushed a counterfeit Microsoft Visual file instead of the Pokemon game.
Getting rid of the NetSupport RAT
The NetSupport RAT executable (“client32.exe”) and its requirements are placed in a new folder under the %APPDATA% directory. They are set to “hidden” to avoid detection by victims performing manual file system inspections.
Furthermore, the installer places an entry in the Windows Startup folder to ensure that the RAT runs when the system boots.
Threat actors frequently use NetSupport RAT (NetSupport Manager) to evade security software because it is a legitimate programme.
Malicious actors can now remotely location connect to a user’s device to steal data, install other malware, or even spread further across the network.
While NetSupport Manager is a valid software product, threat actors frequently use it in their malevolent campaigns.
Microsoft issued a warning in 2020 about phishing actors using COVID-19-themed Excel files to install NetSupport RAT on recipients’ computers.
In August 2022, adulating WordPress sites with bogus Cloudflare DDoS protection pages infected victims with NetSupport RAT and Raccoon Stealer.
NetSupport Manager provides remote screen control, video capture, system monitoring, remote system grouping for improved control, and numerous connectivity options, including internet traffic encryption.
However, the implications of such an infection are wide-ranging and severe, primarily involving unauthorized access to confidential user data and the download of additional malware.