This nefarious Pokémon NFT scheme leaves Windows PCs vulnerable to attack
NetSupport Manager itself is a set of non-malicious remote management tools with remote desktop functionality, but unknown threat actors have bundled this legitimate software into a malicious package that ASEC researchers call the “NetSupport RAT”. This package installs NetSupport Manager and configures it to run on startup and connect to a NetSupport server controlled by the threat actors. When the software establishes a connection to this server, the threat actors can remotely control the compromised system, allowing them to execute arbitrary commands, access clipboard content, observe user actions, and exfiltrate files and browsing history.
The researchers discovered versions of the installer with the Microsoft Visual Studio logo, but do not know the original source of these samples. However, they found websites promoting a fake one Pokémon non-fungible token (NFT) card game that acts as a method to trick victims into installing the NetSupport RAT. The “Play on PC” button on these sites downloads a version of the malicious package installer disguised as an icon for the fake game and named “PokemonBetaGame.exe.” When run, this executable infects systems with the NetSupport RAT.
Although the sites distributing this malicious package are no longer running on the domains identified by the ASEC researchers, this does not mean that the threat campaign is over. To avoid infecting their systems with malware, users should avoid downloading legitimate software from unknown sources and be careful about downloading games that cannot be verified as genuine.