Attackers behind a recent phishing campaign used a fake Norton LifeLock document in order to trick victims into installing a Remote Access Trojan (RAT) on their systems.
The infection starts with a Microsoft Word document containing malicious macros. However, to get users to enable macros, which are disabled by default, the threat actor behind the campaign used a fake password-protected Norton LifeLock document.
Victims are asked to enable macros and enter the password provided in the phishing email containing the document in order to access it. Palo Alto Network block 42, which opened the campaign, also found that the password dialog box is only upper or lower case letters 'C'. If the password is incorrect, the malicious activity will not continue.
- Shark Tank Knot Falls Victim of Phishing Attack
- Malicious files are unsubscribed by email security products
- Microsoft discovers a new evil, malware attack corp
If the user does not enter the correct password, the macro continues execution and builds a command line that installs the legitimate remote control software, Program Manager.
The binary rat is downloaded and installed on the user's computer using the 'msiexec' command in the Windows Installer service.
В new report, researchers at Palo Alto Networks Unit 42 explained that MSI payload installs without any warning and adds a PowerShell script to the Windows Temp folder. This is used to save and the script plays the role of a backup solution for installing the manager program.
Before the script continues its run, it checks to see if the antivirus is either Avast or AVG installed on the system. If so, then it stops working on the victim's computer. If the script detects that these programs are not present on the computer, it adds the files required by netsupport manager to a folder with a random name, and also creates a registry key for presentationhost.exe, the main executable named "for persistence."
Unit 42 first opened the campaign in early January and scientists have been tracking a link since November 2019 that shows this campaign is part of a larger operation.
- Keep your devices protected by the best antivirus software