A phishing campaign is using emails claiming to contain secure documents, plus a legitimate remote access tool in an attempt to gain access to networks.
Uncovered by security analysts at Palo Alto Networks' Unit 42 research division, the campaign appears to have started in January this year and uses a number of sneaky techniques to compromise chosen victims and gain remote access to systems.
Targets of this hacking campaign receive an email that encourages them to open a phoney password-protected document that claims to have been locked in order to secure personal information supposedly contained within. Many of the emails are themed around refunds, online transactions and other invoices.
Researchers believe the password comes in the phishing email and the use of a document featuring the branding in this case of a real cybersecurity provider is a means of generating additional trust from the victim.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Unlocking the document will enable macros and execute the commands for the next stages of the attack, which ultimately uses PowerShell to install a remote access tool onto the system, along with mechanisms to ensure it maintains persistence.
The tool installed is NetSupport Manger, a legitimate form of remote access control software often used in IT support or for remote collaboration to gain access to the PC.
This could simply be outright stealing information, or it could be part of a longer-term plan, which could see attackers monitor the ingoing and outgoing emails from a compromised user to find out who they communicate with, then potentially using another phishing attack to compromise additional users from the initial account.
SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
But while the way in which the tool is being used is malicious, this won't be picked up by anti-virus software because NetSupport Manager is a legitimate product – although it's likely that the attackers haven't purchased it via legitimate channels.
It's still unclear what the overall motivation for the campaign is, or the full extent of it. As this particular campaign requires the use of macros, IT administrators can protect users from falling victim to this attack by disabling macros by default. Users should also be wary of unexpected emails from unknown contacts that claim to be urgent – as this could be the telltale sign of a phishing campaign.