In January 2020, Palo Alto Networks identified a malicious Microsoft Word document, disguised as a password-protected NortonLifelock document, being used in a phishing campaign to deliver a commercially available remote access tool (RAT) called NetSupport Manager. Using a fictitious NortonLifelock document to entice the user to enable macros makes this particular attack interesting.
This RAT is typically used for legitimate purposes allowing administrators remote access to client computers. However, malicious operators are installing the RAT to victim’s systems allowing them to gain unauthorized access. The use of this NetSupport Manager RAT for unauthorized access has been observed in phishing campaigns since at least 2018.
During an initial review of the detection, which was flagged via the Cortex XDR Engine, It was observed that the causality chain began when a Microsoft Word document was opened from within Microsoft Office Outlook. While the actual email is not available, they are able to conclude that this activity appears to be a part of a larger campaign.
This activity employs evasion techniques to evade both dynamic and static analysis and utilizes the PowerShell PowerSploit framework to carry out the installation of the malicious file activity. Through additional analysis, it was identified to a related activity dating back to early November of 2019.