Cybercriminals are now using rogue websites for Pokemon NFT card games to distribute the NetSupport remote access tool to gain control over the devices of unsuspecting victims.
About the trap
The scammers take advantage of the popularity of both Pokemon and NFT fans to trick them into visiting malicious portals, such as pokemon-go[.]io, via malspam or social media posts, revealed experts at ASEC.
The website displays a play button that let users download an executable file, seemingly a genuine game installer. However, it installs the NetSupport RAT on the victim's system.
Researchers discovered a second site, beta-pokemoncards[.]io, used in the campaign, which has been taken offline.
The first signs of the malicious operation were spotted in December 2022. earlier samples abstained from VirusTotal revealed that the same attackers spread a fake Visual Studio file that also installed NetSupport RAT.
Staying low tactics
NetSupport RAT is a genuine program for remote technical assistance, however, attackers use it to dodge security software detection.
In this campaign, a fake executable installer developed using InnoSetup is used to disseminate the RAT.
When the installer is run, NetSupport RAT (client32[.]exe) and dependencies are installed in a new folder at %APPDATA%. The folder is set to hidden to avoid detection from manual inspections on the file system.
Further, the installer creates an entry in the Windows Startup folder to ensure the RAT runs upon system boot.
The attackers then connect to a user's device remotely to steal data, install malware, or spread further on the network.
Conclusion
Looking at a huge fan following for both Pokemon and NFTs, enthusiasts tend to fall for such scams, and it can have serious implications such as data theft or system hijacking for extortion. Online users are recommended to purchase and download software from genuine marketplaces and keep those programs up to date.