Norton LifeLock phishing scam infects victims with remote access trojan

Hackers employed a clever trick to get users to enable macros in a malicious Word document

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The cybercriminals behind a recentphishing campaignused a fake Norton LifeLock document in order to trick victims into installing a remote access trojan (RAT) on their systems.

The infection begins with aMicrosoftWord document that contains malicious macros. However, to get users to enable macros, which are disabled by default, the threat actor behind the campaign used a fake password-protectedNorton LifeLockdocument.

Victims are asked to enable macros and type in a password, provided in the phishing email containing the document, to gain access to it. Palo Alto Networks’Unit 42, which discovered the campaign, also found that the password dialog box accepts only a upper or lowercase letter ‘C’. If the password is incorrect, the malicious action does not continue.

If the user does input the correct password, the macro continues executing and builds a command string that installs the legitimate remote control software, NetSupport Manager.

Establishing persistence

Establishing persistence

The RAT binary is downloaded and installed onto a user’s machine with help from the ‘msiexec’ command in the Windows Installer service.

In anew report, the researchers at  Palo Alto Networks' Unit 42 explained that theMSIpayload installs without any warnings and adds a PowerShell script in the Windows temp folder. This is used for persistence and the script plays the role of a backup solution for installing NetSupport Manager.

Before the script continues its operations, it checks to see if anantivirusfrom either Avast or AVG is installed on the system. If this is the case, it stops running on the victim’s computer. If the script finds that these programs aren’t present on the machine, it adds the files needed b NetSupport Manager to a folder with a random name and also creates a registry key for the main executable named ‘presentationhost.exe’ for persistence.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Unit 42 first discovered the campaign at the beginning of January and the researchers tracked related activity back to November 2019 which shows that the campaign is part of a larger operation.

ViaBleepingComputer

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)