Cybersecurity researchers say, “ JS#Smuggler It has been observed using compromised websites as a distribution vector for a remote access Trojan named NetSupport RAT.
The attack chain analyzed by Securonix includes three main moving parts: an obfuscated JavaScript loader injected into a website, an HTML application (HTA) that uses ‘mshta.exe’ to run an encrypted PowerShell stager, and a PowerShell payload designed to download and execute the primary malware.
Researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said, “NetSupport RAT allows attackers complete control over a victim host, including remote desktop access, file manipulation, command execution, data theft, and proxy functionality.”
At this stage, there is little evidence linking this campaign to any known threat groups or countries. This activity was found to target corporate users through compromised websites, indicating a widespread effort.
The cybersecurity firm described it as a multi-stage web-based malware operation that uses hidden iframes, obfuscated loaders, and layered script execution for malware deployment and remote control.
In these attacks, silent redirects embedded in infected websites act as a conduit for a highly scrambled JavaScript loader (“phone.js”) obtained from an external domain that profiles the device and determines whether to serve a full-screen iframe (if accessed from a mobile phone) or load another remote second-stage script (if accessed from a desktop).
The invisible iframe is designed to redirect victims to a malicious URL. The JavaScript loader has a built-in tracking mechanism that minimizes the chance of detection by ensuring that malicious logic is only invoked once, upon first access.
“This device-aware bifurcation allows attackers to tailor infection vectors, hide malicious activity from specific environments, and maximize success rates by delivering platform-appropriate payloads while avoiding unnecessary exposure,” the researchers said.
The remote script downloaded during the first stage of the attack lays the groundwork by constructing a URL where, upon execution, the HTA payload is downloaded and executed using ‘mshta.exe’. The HTA payload is another loader for a temporary PowerShell stager that is written to disk, decrypted, and executed directly in memory to avoid detection.
Additionally, the HTA file is secretly executed by disabling all visible window elements and minimizing the application upon startup. Once the decrypted payload is executed, it also takes steps to remove the PowerShell stager from disk and terminate itself with as little forensic trace as possible.
The primary purpose of the decrypted PowerShell payload is to retrieve and deploy the NetSupport RAT, giving the attacker complete control over the compromised host.
“Sophisticated, multi-layered evasion techniques strongly indicate that a professional malware framework is actively maintained,” Securonix said. “Defenders must deploy strong CSP enforcement, script monitoring, PowerShell logging, mshta.exe restrictions, and behavioral analysis to effectively detect such attacks.”
CHAMELEON#NET delivers Formbook malware
The disclosure comes weeks after the company also detailed another multi-stage malspam campaign called CHAMELEON#NET that used phishing emails to deliver Formbook, a keylogger and information theft tool. This email message aims to lure victims of the National Social Security Department into downloading a seemingly harmless archive by obtaining their credentials on a fake webmail portal designed for this purpose.
“The campaign begins with a phishing email that tricks users into downloading a .BZ2 archive, starting a multi-step infection chain,” Sangwan said. “The initial payload is a highly obfuscated JavaScript file that acts as a dropper and leads to the execution of a complex VB.NET loader. This loader uses advanced reflection and a custom conditional XOR cipher to decrypt and execute the final payload, the Formbook RAT, completely in memory.”
Specifically, the JavaScript dropper decodes two additional JavaScript files and writes them to disk in the %TEMP% directory.
- svchost.js: Drops a .NET loader executable called DarkTortilla (‘QNaZg.exe’). This is a crypter often used to distribute next stage payloads.
- adobe.js: Drop a file named “PHat.jar”. This is an MSI installer package that behaves similarly to ‘svchost.js’.
In this campaign, the loader is configured to decrypt and execute the embedded DLL, Formbook malware. Persistence is achieved by adding it to the Windows startup folder so that it starts automatically when the system restarts. Alternatively, also manage persistence through the Windows Registry.
“Those attackers have successfully used a combination of social engineering, advanced script obfuscation, and advanced .NET evasion techniques to successfully compromise their targets,” Securonix said. “By using a custom decryption routine followed by reflective loading, the final payload can be executed fileless, significantly increasing the complexity of detection and forensic analysis.”
