This nefarious Pokémon NFT scheme leaves Windows PCs vulnerable to attack

Cybersecurity researchers at ASEC have uncovered a threat campaign that distributes remote access software under the guise of a Pokémon NFT card game. While many threat campaigns deploy Remote Access Trojans (RATs) that operate in the background to give threat actors access to compromised systems, this particular scheme exists to deploy a different type of RAT, namely Remote Administration Tools. Rather than being malware, these legitimate tools provide users with a graphical user interface (GUI) and remote desktop functionality. However, some threat actors misuse remote desktop software as a means to access and compromise their targets’ machines, and in this case, threat actors are exploiting NetSupport Manager for malicious purposes.

NetSupport Manager itself is a set of non-malicious remote management tools with remote desktop functionality, but unknown threat actors have bundled this legitimate software into a malicious package that ASEC researchers call the “NetSupport RAT”. This package installs NetSupport Manager and configures it to run on startup and connect to a NetSupport server controlled by the threat actors. When the software establishes a connection to this server, the threat actors can remotely control the compromised system, allowing them to execute arbitrary commands, access clipboard content, observe user actions, and exfiltrate files and browsing history.

For at least two years, threat actors have distributed the NetSupport RAT through various methods, including spam emails and hacked WordPress blogs. The particular campaign identified by ASEC appears to have started around December 2022 and attempts to distribute the malicious package through fraudulent installers for both legitimate and fake software. These installers are disguised with icons that correspond to the counterfeit software, but install NetSupport RAT instead of the expected software.

The researchers discovered versions of the installer with the Microsoft Visual Studio logo, but do not know the original source of these samples. However, they found websites promoting a fake one Pokémon non-fungible token (NFT) card game that acts as a method to trick victims into installing the NetSupport RAT. The “Play on PC” button on these sites downloads a version of the malicious package installer disguised as an icon for the fake game and named “PokemonBetaGame.exe.” When run, this executable infects systems with the NetSupport RAT.

Although the sites distributing this malicious package are no longer running on the domains identified by the ASEC researchers, this does not mean that the threat campaign is over. To avoid infecting their systems with malware, users should avoid downloading legitimate software from unknown sources and be careful about downloading games that cannot be verified as genuine.