INSUBCONTINENT EXCLUSIVE:
The cybercriminals behind a recent phishing campaign used a fake Norton LifeLock document in order to trick victims into installing a remote
access trojan (RAT) on their systems.The infection begins with a Microsoft Word document that contains malicious macros
However, to get users to enable macros, which are disabled by default, the threat actor behind the campaign used a fake password-protected
Norton LifeLock document.Victims are asked to enable macros and type in a password, provided in the phishing email containing the document,
Palo Alto Networks' Unit 42, which discovered the campaign, also found that the password dialog box accepts only a upper or lowercase letter
If the password is incorrect, the malicious action does not continue.If the user does input the correct password, the macro continues
executing and builds a command string that installs the legitimate remote control software, NetSupport Manager.The RAT binary is downloaded
and installed onto a user's machine with help from the 'msiexec' command in the Windows Installer service.In a new report, the researchers
This is used for persistence and the script plays the role of a backup solution for installing NetSupport Manager.Before the script
continues its operations, it checks to see if an antivirus from either Avast or AVG is installed on the system
If this is the case, it stops running on the victim's computer
If the script finds that these programs aren't present on the machine, it adds the files needed b NetSupport Manager to a folder with a
random name and also creates a registry key for the main executable named 'presentationhost.exe' for persistence.Unit 42 first discovered
the campaign at the beginning of January and the researchers tracked related activity back to November 2019 which shows that the campaign is
part of a larger operation.Via BleepingComputer
