Security experts have warned of a new phishing campaign that uses the popularity of Pokémon and NFTs to trick users into unknowingly downloading remote access tools (RATs).
The fake Pokemon card game page was discovered by the AhnLab Security E-response Center (ASEC) in South Korea. As well as the game itself, the site reportedly provides links to purchase his Pokémon-branded NFTs.
According to ASEC, on the phishing page[PC でプレイ]Pressing the button secretly installs a version of the popular RAT NetSupport. However, the vendor described it as “malware” because the tool was “distributed in a form designed to give attackers control over infected systems, rather than in a form used for normal purposes.” .
Distributed via spam emails and disguised brands such as Visual Studio, this malicious tool appears to have been in circulation since around December 2022.
“The installed NetSupport-related program can be said to be a normal program itself, but we can see that the attacker’s C&C server address is included in the ‘client32.ini’ configuration file,” ASEC explained. .
“When NetSupport runs, it reads this configuration file and accesses the attacker’s NetSupport server to establish a connection, giving the operator control over the infected system.”
The NetSupport RAT in question has been used by various threat actors to hijack targeted systems, some of which is spread via phishing emails within spoofed invoices, shipping documents, and purchase orders. ASEC said it does.
“By default NetSupport supports not only remote screen control, but also system control functions such as screen capture, clipboard sharing, web history information collection, file management and command execution,” he added.
“This means threat actors can perform a variety of malicious actions, including extorting user credentials and installing additional malware.”
Users were advised to keep their systems up-to-date, never open unsolicited email attachments, and purchase third-party software only from official sites.
