Threat Actors Spread RAT Via Pokemon NFT Card Site

Written by

Security experts have warned of a new phishing campaign which uses the popularity of Pokemon and NFT to lure users into unwittingly downloading a remote access tool (RAT).

The spoofed Pokemon card game page was spotted by South Korea’s AhnLab Security E-response Center (ASEC). As well as the game itself, the site reportedly offers links to purchase Pokemon-branded NFTs.

ASEC said the “Play on PC” button located on the phishing page covertly installs a version of the popular RAT NetSupport. However, the vendor described it as “malware” because the tool “was not distributed in a form used for normal purposes but rather in a form designed for the threat actor to control the infected system.”

Also distributed via spam emails and other impersonated brands such as Visual Studio, the malicious tool has apparently been in circulation since around December 2022.

“While it could be said that the installed NetSupport-related programs themselves are normal programs, we can see that the threat actor’s C&C server address is included in the ‘client32.ini’ configuration file,” ASEC explained.

“When NetSupport is executed, it reads this configuration file, access and establishes a connection to the threat actor’s NetSupport server, and then allows the operator to control the infected system.”

The NetSupport RAT in question is being used by various threat actors to hijack targeted systems, some of whom are spreading it via phishing emails inside spoofed invoices, shipment documents and purchase orders, ASEC said.

“Features supported by NetSupport by default include not only remote screen control but also system control features such as screen capture, clipboard sharing, collecting web history information, file management and command execution,” it added.

“This means that the threat actor can perform various malicious behaviors such as extorting user credentials and installing additional malware.”

Users were advised to keep their systems updated, not to open attachments in unsolicited emails and only to purchase third-party software from official sites.

What’s hot on Infosecurity Magazine?