The legitimate remote access tool (RAT) called NetSupport Manager, used for troubleshooting and tech support, is being converted into a malicious weapon by cybercriminals. Researchers at Palo Alto Networks’ Unit 42 division have spotted a spam campaign attempting to deliver a malicious Microsoft Word document that uses the disguise of a NortonLifeLock-protected file.
NortonLifeLock is a security utility for password-protecting attachments, among other things. If a recipient opens the document via Microsoft Office Outlook, a prompt appears that asks users to “enable content” to open the document – clicking “yes” executes macros.
“To the user, the document appears to contain personal information that requires a password to view,” said researchers, in a recent analysis. “Once the document is opened and the user clicks ‘Enable Content,’ the macro is executed and the user is presented with a password dialog box.”
Researchers added that the password is likely provided in the body of the phishing email, because it has to be correct; no malicious activity occurs until the correct key is entered. Once the key is accepted, the macros create and execute a batch file called alpaca.bat.
“The macro obfuscates all strings using multiple labels on Visual Basic for Applications (VBA) forms, which contain two characters that are eventually linked together to construct the final command to download and execute the RAT on the victim,” according to Unit 42. “The command string is executed via the VBA shell function, which [creates and executes alpaca.bat].”
The campaign uses a range of tactics to obfuscate its activity from both dynamic and static analysis, according to researchers. For instance, the batch script uses msiexec, which is a legitimate part of the Windows Installer service. It’s used to download and install a Microsoft Intermediate Language (MSIL) binary from a legitimate domain, which has been compromised. Once downloaded, the binary will execute using the /q parameter to suppress any Windows dialogs from the user.
The campaign also uses the PowerShell PowerSploit framework to carry out the installation of the malicious file activity. The MSI installs a PowerShell script in the victim’s %temp% directory named REgistryMPZMZQYVXO.ps1. This contains another PowerShell script that is responsible for installing the NetSupport Manager RAT onto the victim’s machine.
“The PowerShell script appears to have been generated using the open-source script Out-EncryptedScript.ps1 from the PowerSploit framework,” according to the analysis. “It contains a blob of data that is obfuscated via base64 and is TripleDES encrypted with a cipher mode of Cipher Block Chain (CBC).”
The RAT installer PowerShell script interestingly aborts installation if Avast or AVG Antivirus Software is running on the target machine. If not, it installs 12 files that make up the NetSupport Manager RAT to a random directory and sets up persistence by creating the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
“Once the main NetSupport Manager executable (presentationhost.exe) is started, it beacons to the domain geo.netsupportsoftware[.]com to retrieve geolocation of the host followed by an HTTP POST,” the researchers wrote.
Researchers said that the campaign is likely part of a larger offensive that dates back to early November, with email subject lines reusing themes associated with refunds, as well as transaction and order inquiries. The attached documents contain the target company’s name.
“Malicious use of the NetSupport Manager remote access tool has also been reported by both FireEye and Zscaler researchers,” researchers concluded. “While this activity appears to be broad and at large scale, there are indications, such as the document name, that show the actor’s attempt to provide a stronger relationship to the target in an attempt to increase the success rate.”