Security News > 2020 > March > NetSupport Manager RAT Spread via Bogus NortonLifeLock Docs

If a recipient opens the document via Microsoft Office Outlook, a prompt appears that asks users to "Enable content" to open the document - clicking "Yes" executes macros.

This contains another PowerShell script that is responsible for installing the NetSupport Manager RAT onto the victim's machine.

If not, it installs 12 files that make up the NetSupport Manager RAT to a random directory and sets up persistence by creating the following registry key: HKEY CURRENT USERSoftwareMicrosoftWindowsCurrentVersionRun.

"Once the main NetSupport Manager executable is started, it beacons to the domain geo.netsupportsoftware[.]com to retrieve geolocation of the host followed by an HTTP POST," the researchers wrote.

"Malicious use of the NetSupport Manager remote access tool has also been reported by both FireEye and Zscaler researchers," researchers concluded.

News URL

https://threatpost.com/netsupport-manager-rat-nortonlifelock-docs/153387/