Threat Alert: NORTON PASSWORD VAULT LURES

• Threat actors impersonated Norton security software to distribute remote monitoring and management (RMM) tools Syncro RMM and ScreenConnect via email.
• Threat actors claimed Norton Password Vault had been breached and users needed to take swift action to prevent further compromise.
• Impersonation of security vendors seeks to abuse end users’ trust of key security resources to socially engineer them into downloading malware.

How is it used in the wild?

• Threat actors sent messages that impersonated Norton security service and claimed that Norton Password Vault was hacked. Users were prompted to download a more secure version of the Norton desktop app with a link in the message body.
• The Norton lookalike URL led to a landing page, also abusing the brand and prompting users to download the supposed new version of the app, which led instead to Syncro and ScreenConnect malware.
• Abuse of Syncro and ScreenConnect RMM tools can lead to threat actors gaining remote access to users’ systems and enable follow-on malicious activity.
  

Key Action: Stay Alert!

• Looking closely at headers and senders of suspicious or unsolicited emails.
• Always check the authenticity of notifications from security vendors.
• Do not download files in unsolicited emails or otherwise unknown sources.
• Report ANY suspicious emails via Phish Alarm.