Norton LifeLock phishing scam infects victims with remote access trojan

(Image credit: Shutterstock)

The cybercriminals behind a recent phishing campaign used a fake Norton LifeLock document in order to trick victims into installing a remote access trojan (RAT) on their systems.

The infection begins with a Microsoft Word document that contains malicious macros. However, to get users to enable macros, which are disabled by default, the threat actor behind the campaign used a fake password-protected Norton LifeLock document.

Victims are asked to enable macros and type in a password, provided in the phishing email containing the document, to gain access to it. Palo Alto Networks' Unit 42, which discovered the campaign, also found that the password dialog box accepts only a upper or lowercase letter 'C'. If the password is incorrect, the malicious action does not continue.

Shark Tank host falls victim to phishing scam
Malicious files evading email security products
Microsoft detects new Evil Corp malware attacks

If the user does input the correct password, the macro continues executing and builds a command string that installs the legitimate remote control software, NetSupport Manager.

Establishing persistence

The RAT binary is downloaded and installed onto a user's machine with help from the 'msiexec' command in the Windows Installer service.

In a new report, the researchers at Palo Alto Networks' Unit 42 explained that the MSI payload installs without any warnings and adds a PowerShell script in the Windows temp folder. This is used for persistence and the script plays the role of a backup solution for installing NetSupport Manager.

Before the script continues its operations, it checks to see if an antivirus from either Avast or AVG is installed on the system. If this is the case, it stops running on the victim's computer. If the script finds that these programs aren't present on the machine, it adds the files needed b NetSupport Manager to a folder with a random name and also creates a registry key for the main executable named 'presentationhost.exe' for persistence.

Unit 42 first discovered the campaign at the beginning of January and the researchers tracked related activity back to November 2019 which shows that the campaign is part of a larger operation.

Keep your devices protected with the best antivirus software
Stay safe when working at home with the best remote access VPN

Via BleepingComputer

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.