Threat actors are seen using rogue websites for Pokemon NFT card games to distribute the NetSupport remote access tool to gain control over the devices of unsuspecting victims.
The popularity of both Pokemon and NFT fans were utilized to trick them into visiting malicious portals, such as pokemon-go[.]io, via malspam or social media posts.
The website displays a play button that let users download an executable file, seemingly a genuine game installer. Then, it installs the NetSupport RAT on the victim’s system.
Researchers discovered another site, beta-pokemoncards[.]io, used in the campaign, which has been taken offline.
The malicious operation was initially spotted in December 2022. earlier samples abstained from VirusTotal revealed that the same attackers spread a fake Visual Studio file that also installed NetSupport RAT.
Attackers abuse NetSupport RAT tool to dodge security software detection.
- A fake executable installer developed using InnoSetup is used to disseminate the RAT.
- When the installer is run, NetSupport RAT (client32[.]exe) and dependencies are installed in a new folder at %APPDATA%. The folder is set to hidden to avoid detection from manual inspections on the file system.
- Then the installer creates an entry in the Windows Startup folder to ensure the RAT runs upon system boot.
- The attackers then connect to a user’s device remotely to steal data, install malware, or spread further on the network.
Followers of Pokemon and NFTs will fall prey for such scams, and it can have serious implications such as data theft or system hijacking for extortion. Users are recommended to use genuine softwares and keep them updated.