Threat actors are using a well-crafted Pokemon NFT card game website to distribute the NetSupport remote access tool and take control over victims’ devices.
The website “pokemon-go[.]io,” which is still online at the time of writing, claims to be home to a new NFT card game built around the Pokemon franchise, offering users strategic fun together with NFT investment profits.
Considering the popularity of both Pokemon and NFTs, it shouldn’t be hard for the operators of the malicious portal to draw an audience to the site through malspam, social media posts, etc.
Those who click on the “Play on PC” button download an executable that looks like a legitimate game installer but, in reality, installs the NetSupport remote access tool (RAT) on the victim’s system.
The operation was uncovered by analysts at ASEC, who reports there was also a second site used in the campaign, at “beta-pokemoncards[.]io,” but it has since been taken offline.
This campaign’s first signs of activity appeared in December 2022, while earlier samples retrieved from VirusTotal showed that the same operators pushed a fake Visual Studio file instead of the Pokemon game.
Dropping the NetSupport RAT
The NetSupport RAT executable (“client32.exe”) and its dependencies are installed in a new folder in the %APPDATA% path. They are set to “hidden” to help evade detection from victims performing manual inspections on the file system.
Moreover, the installer creates an entry in the Windows Startup folder to ensure the RAT will execute upon system boot.
As NetSupport RAT (NetSupport Manager) is a legitimate program, threat actors commonly use it in the hopes it will evade security software.
The threat actors can now remotely connect to a user’s device to steal data, install other malware, or even attempt to spread further on the network.
While NetSupport Manager is a legitimate software product, it is commonly used by threat actors as part of their malicious campaigns.
In 2020, Microsoft warned about phishing actors using COVID-19-themed Excel files that dropped NetSupport RAT onto the recipients’ computers.
In August 2022, a campaign targeting WordPress sites with fake Cloudflare DDoS protection pages installed NetSupport RAT and Raccoon Stealer on victims.
NetSupport Manager supports remote screen control, screen recording, system monitoring, remote system grouping for better control, and plenty of connectivity options, including network traffic encryption.
That said, the consequences of such an infection are broad and severe, mainly concerning unauthorized access to sensitive user data and downloading further malware.