Norton LifeLock phishing scam infects victims with remote access trojan

The cybercriminals behind a recent phishing campaign used a fake Norton LifeLock document in order to trick victims into installing a remote access trojan (RAT) on their systems.

The infection begins with a Microsoft Word document that contains malicious macros. However, to get users to enable macros, which are disabled by default, the threat actor behind the campaign used a fake password-protected Norton LifeLock document.

Victims are asked to enable macros and type in a password, provided in the phishing email containing the document, to gain access to it. Palo Alto Networks' Unit 42, which discovered the campaign, also found that the password dialog box accepts only a upper or lowercase letter 'C'. If the password is incorrect, the malicious action does not continue.

Shark Tank host falls victim to phishing scam
Malicious files evading email security products
Microsoft detects new Evil Corp malware attacks

If the user does input the correct password, the macro continues executing and builds a command string that installs the legitimate remote control software, NetSupport Manager.

Establishing persistence

The RAT binary is downloaded and installed onto a user's machine with help from the 'msiexec' command in the Windows Installer service.

In a new report, the researchers at Palo Alto Networks' Unit 42 explained that the MSI payload installs without any warnings and adds a PowerShell script in the Windows temp folder. This is used for persistence and the script plays the role of a backup solution for installing NetSupport Manager.

Before the script continues its operations, it checks to see if an antivirus from either Avast or AVG is installed on the system. If this is the case, it stops running on the victim's computer. If the script finds that these programs aren't present on the machine, it adds the files needed b NetSupport Manager to a folder with a random name and also creates a registry key for the main executable named 'presentationhost.exe' for persistence.

Unit 42 first discovered the campaign at the beginning of January and the researchers tracked related activity back to November 2019 which shows that the campaign is part of a larger operation.

Keep your devices protected with the best antivirus software

Via BleepingComputer

from TechRadar - All the latest technology news https://ift.tt/2T8948H

Airship acquires SMS commerce company ReplyBuy

Airship is announcing that it has acquired mobile commerce startup ReplyBuy . The startup (which was a finalist at TechCrunch’s 1st and Future competition in 2016) works with customers like entertainment venues and professional and college sports teams to send messages and sell tickets to fans via SMS. It raised $4 million in funding from Sand Hill Angels, Kosinski Ventures, SEAG Ventures, Enspire Capital, MRTNZ Ventures and others, according to Crunchbase . Airship, meanwhile, has been expanding its platform beyond push notifications to cover customer communication across SMS, email, mobile wallets and more. But CEO Brett Caine said this is the first time the company is moving into commerce. While sports and concerts tickets might not be a booming market right now, Caine suggested that the company is actually seeing increased purchasing activity “in and around the Airship platform” as businesses try to drive more in-app purchases. He also suggested that both the COVID-19 pandem...

Technology Simplified

Search This Blog