Hackers have recently been identified using a well-designed Pokémon non-fungible token (NFT) card game site online to distribute a remote access tool (RAT) and take control of target’s computers.

Entitled “pokemon-go[.]io, the website claims to be the official site for a brand-new NFT card game that is connected with the popular Pokémon franchise. The website is designed to lure in users promising them both strategic entertainment and profits from NFT investments.

Due to the lasting popularity of the Pokémon brand and the growing interest in NFTs, experts believed that it will not be difficult for the malicious operators behind the portal to attract an audience to the website through posts on social media, online forums and malspam.

How the cyberattack works

Users who click on a button marked “Play on PC” will download an executable file that appears to be a genuine game installer. However, the executable installs the NetSupport RAT onto the user’s system.

The sinister operation was discovered by threat analysts based at ASEC. The researchers reported that this was one of two active sites being used to run the malicious campaign with the second being “beta-pokemoncards[.]io”. However, this portal is no longer online.

This threat campaign’s early signs of activity emerged in December last year. However, earlier samples recovered from VirusTotal indicated that the same hackers had pushed a bogus Visual Studio file rather than the Pokémon game.

The real damage begins when the NetSupport RAT executable along with its dependencies are successfully installed in a brand-new folder using the %APPDATA% path. The malicious payload is pre-set to “hidden” to evade detection by victims who perform manual inspections on their file system.

Furthermore, the installer creates a new entry within the Windows Startup folder. This is designed to ensure that the RAT will be executed when the system next boots. The hackers are then able to remotely connect to the victim’s device, giving them the ability to carry out a wide range of criminal activities. These include, but are not limited to, stealing data, installing further malware and even attempting to spread laterally across a network, taking control of all devices connected.

Abuse of a legitimate solution

Because the NetSupport RAT, also known as NetSupport Manager, is a genuine program, threat operators commonly use it for their cybercriminal campaigns, because in many cases it can entirely evade security software.

Back in 2020, tech giant Microsoft warned that phishing actors were using coronavirus-themed Excel files that were designed to drop the NetSupport RAT on recipients’ devices. More recently, just last year in August, a campaign that targeted WordPress sites with bogus Cloudflare Dedicated Denial of Service (DDoS) protection pages also installed Raccoon Stealer and NetSupport RAT on its victims.

As a legitimate tool, NetSupport Manager can be exceptionally useful, supporting remote screen control, system monitoring, screen recording, remote system grouping giving enhanced control and a wide range of connectivity options, which include network traffic encryption. However, when used with malicious intent, the consequences of an infection can be widespread and severe.