Norton LifeLock phishing scam infects victims with remote access trojan


Norton LifeLock phishing scam infects victims with remote access trojan

(Image credit: Shutterstock)

Hackers employed a clever trick to get users to enable macros in a malicious Word document.

The cybercriminals behind a recent phishing campaign used a fake Norton LifeLock document in order to trick victims into installing a remote access trojan (RAT) on their systems.

The infection begins with a Microsoft Word document that contains malicious macros. However, to get users to enable macros, which are disabled by default, the threat actor behind the campaign used a fake password-protected Norton LifeLock document.

Victims are asked to enable macros and type in a password, provided in the phishing email containing the document, to gain access to it. Palo Alto Networks’ Unit 42, which discovered the campaign, also found that the password dialog box accepts only a upper or lowercase letter ‘C’. If the password is incorrect, the malicious action does not continue.

If the user does input the correct password, the macro continues executing and builds a command string that installs the legitimate remote control software, NetSupport Manager.

Establishing persistence

The RAT binary is downloaded and installed onto a user’s machine with help from the ‘msiexec’ command in the Windows Installer service.

In a new report, the researchers at  Palo Alto Networks’ Unit 42 explained that the MSI payload installs without any warnings and adds a PowerShell script in the Windows temp folder. This is used for persistence and the script plays the role of a backup solution for installing NetSupport Manager.

Before the script continues its operations, it checks to see if an antivirus from either Avast or AVG is installed on the system. If this is the case, it stops running on the victim’s computer. If the script finds that these programs aren’t present on the machine, it adds the files needed b NetSupport Manager to a folder with a random name and also creates a registry key for the main executable named ‘presentationhost.exe’ for persistence.

Unit 42 first discovered the campaign at the beginning of January and the researchers tracked related activity back to November 2019 which shows that the campaign is part of a larger operation.

Keep your devices updated with the very best anti-virus software.


We’re Urban Network, we can help save your Business.

We specialise in managed IT & technology services to help businesses across London & the wider-South East, from our base in Wapping, East London.

Urban Network has a proven track record, with extensive experience and a full portfolio of industry accreditations & certifications.

Among our range of skills, we have a specialism in boosting Security. Ensuring we aid our clients with employing the best & most appropriate practices, procedures and tools to increase efficiency in the workplace.

If you have any concerns or challenges with your technology generally, we would like to hear from you. Please contact the team today.


News Source: