June 18, 2024

Tishamarie online

Specialists in technology

Norton LifeLock phishing scam infects victims with remote access trojan

The cybercriminals driving a latest phishing marketing campaign made use of a pretend Norton LifeLock document in buy to trick victims into installing a distant entry trojan (RAT) on their methods.

The infection commences with a Microsoft Word document that contains destructive macros. Having said that, to get customers to permit macros, which are disabled by default, the risk actor driving the marketing campaign made use of a pretend password-shielded Norton LifeLock document.

Victims are asked to permit macros and type in a password, delivered in the phishing e mail made up of the document, to obtain entry to it. Palo Alto Networks’ Device forty two, which uncovered the marketing campaign, also located that the password dialog box accepts only a higher or lowercase letter ‘C’. If the password is incorrect, the destructive motion does not proceed.

If the person does enter the appropriate password, the macro continues executing and builds a command string that installs the legit distant management program, NetSupport Supervisor.

Establishing persistence

The RAT binary is downloaded and installed on to a user’s device with help from the ‘msiexec’ command in the Home windows Installer services.

In a new report, the researchers at ┬áPalo Alto Networks’ Device forty two defined that the MSI payload installs devoid of any warnings and adds a PowerShell script in the Home windows temp folder. This is made use of for persistence and the script performs the position of a backup remedy for installing NetSupport Supervisor.

In advance of the script continues its operations, it checks to see if an antivirus from possibly Avast or AVG is installed on the procedure. If this is the circumstance, it stops functioning on the victim’s computer system. If the script finds that these plans aren’t existing on the device, it adds the data files required b NetSupport Supervisor to a folder with a random title and also results in a registry important for the major executable named ‘presentationhost.exe’ for persistence.

Device forty two initial uncovered the marketing campaign at the commencing of January and the researchers tracked relevant action again to November 2019 which demonstrates that the marketing campaign is component of a much larger procedure.

By way of BleepingComputer