Norton LifeLock phishing scam infects victims with remote access trojan

News
By last updated

Hackers employed a clever trick to get users to enable macros in a malicious Word document

(Image credit: Shutterstock)

The cybercriminals behind a recent phishing campaign used a fake Norton LifeLock document in order to trick victims into installing a remote access trojan (RAT) on their systems.

The infection begins with a Microsoft Word document that contains malicious macros. However, to get users to enable macros, which are disabled by default, the threat actor behind the campaign used a fake password-protected Norton LifeLock document.

Victims are asked to enable macros and type in a password, provided in the phishing email containing the document, to gain access to it. Palo Alto Networks' Unit 42, which discovered the campaign, also found that the password dialog box accepts only a upper or lowercase letter 'C'. If the password is incorrect, the malicious action does not continue.

If the user does input the correct password, the macro continues executing and builds a command string that installs the legitimate remote control software, NetSupport Manager.

Establishing persistence

The RAT binary is downloaded and installed onto a user's machine with help from the 'msiexec' command in the Windows Installer service.

In a new report, the researchers at  Palo Alto Networks' Unit 42 explained that the MSI payload installs without any warnings and adds a PowerShell script in the Windows temp folder. This is used for persistence and the script plays the role of a backup solution for installing NetSupport Manager.

Before the script continues its operations, it checks to see if an antivirus from either Avast or AVG is installed on the system. If this is the case, it stops running on the victim's computer. If the script finds that these programs aren't present on the machine, it adds the files needed b NetSupport Manager to a folder with a random name and also creates a registry key for the main executable named 'presentationhost.exe' for persistence.

Unit 42 first discovered the campaign at the beginning of January and the researchers tracked related activity back to November 2019 which shows that the campaign is part of a larger operation.

Via BleepingComputer

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
More about security
Money

Financial leaders still rely on regular tools like Excel for automation tasks over AI
Half man, half AI.

Generative AI has a long way to go as siloed data and abuse of its capacity remain a downside – but it does change the game for security teams
Anker Charger 140W, 4-Port, PD 3.1 on block against pink background

This powerful phone charger has been making faces at me, but I kinda love it
See more latest
Most Popular
HAMR
Seagate reportedly sold two billion GBs worth of storage to two of the world's largest tech companies
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
Oracle
Bluehost owner is moving to Oracle Cloud, so could thousands of websites be about to migrate?
Money
Financial leaders still rely on regular tools like Excel for automation tasks over AI
Two examples of the Asus Fragrance Mouse MD101 sitting on a table
Your next computer mouse could have a fragrance compartment for aromatherapy oils – and this Asus idea is nothing to sniff at
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
Eizo FlexScan FLT
Behold the world's most power-efficient monitor — the EIZO FlexScan FLT