Researchers have discovered a new phishing campaign in the wild that targets users with a RAT. Briefly, this phishing campaign delivers NetSupport Manager RAT via malicious Word files.
Phishing Campaign Delivering NetSupport Manager RAT
Reportedly, researchers from Palo Alto Networks’ Unit 42 division have uncovered a malicious phishing campaign delivering the NetSupport Manager RAT.
Elaborating on their findings in a blog post, the researchers stated that the hackers seemingly try to steal information from the victim machines through this RAT. They may also use the remote access they achieve via this tool for other malicious activities.
This RAT is typically used for legitimate purposes allowing administrators remote access to client computers. However, malicious operators are installing the RAT to victim’s systems allowing them to gain unauthorized access.
Briefly, the attack begins via phishing emails bearing a Word file as an attachment. The researchers noted an attachment named ‘NortonLifeLock’. This is a password-protected file that lures the user to open the document. The password for opening the file is probably contained in the email that delivers the attachment.
Upon enabling macros, a dialog box appears asking for the password. Entering the password then triggers malicious code execution which leads to the deployment of NetSupport Manager RAT. Following its installation, the attacker gains complete access to the target system.
What’s unique with this campaign is that no malicious activity begins unless the victim enters the correct password to unlock the file.
Technical details about the phishing attack are available in the researchers’ post.
Other measures to prevent becoming a victim to this campaign include disabling macros by default. As always, users must refrain from opening any attachments in any emails unless sure about the sender’s legitimacy. Organizations should also focus on training their employees regarding phishing attacks and cybersecurity.
Let us know your thoughts in the comments.