A malicious email campaign targets hundreds of Microsoft Office users in US-based organizations to deliver a remote access trojan (RAT) which escapes detection, partly by posing as legitimate software.
In a campaign dubbed “PhantomBlu” by researchers at Perception Point, attackers impersonate an accounting service in emails inviting people to download a Microsoft Office Word file, presumably to view their “monthly salary report “. Targets receive step-by-step instructions to access the password-protected “report” file, which ultimately delivers the infamous NetSupport RATmalware derived from the legitimate one NetSupport Manager, a legitimately useful remote tech support tool. Threat actors have already used the RAT to monitor systems before deploying ransomware to them.
“Designed for stealthy surveillance and control, it turns remote administration into a platform for cyberattacks and data theft,” Ariel Davidpur, web security expert at Perception Point revealed in a blog post published this week.
Once installed on a victim’s endpoint, NetSupport can monitor behavior, capture keystrokes, transfer files, take control of system resources, and move to other devices within the network, “all in the guise of a benign remote support software,” he wrote.
NetSupport RAT evasive OLE delivery method
The campaign represents a new delivery method for NetSupport RAT through the manipulation of Object Linking and Embedding (OLE) templates. This is a “nuanced exploitation method” that uses legitimate Microsoft Office document templates to execute malicious code while evading detection, Davidpur wrote.
If a user downloads the .docx file attached to campaign messages and uses the accompanying password to access it, the document content also instructs recipients to click “enable editing” and then click an image of a built-in printer in the document in to view their “salary chart”.
The printer image is actually an OLE package, a legitimate feature of Microsoft Windows that allows embedding and linking to documents and other objects. “Its legitimate use allows users to create composite documents with elements from different programs,” Davidpur wrote.
Through manipulation of OLE templates, threat actors exploit document templates to execute malicious code undetected by hiding the payload outside of the document. According to Perceptive Point, the campaign is the first time this process has been used in an email for NetSupport RAT delivery.
“This advanced technique bypasses traditional security systems by hiding the malicious payload outside the document, performing only user interaction,” Davidpur explained.
In fact, by using encrypted .doc files to deliver NetSupport RAT via OLE template and template injection (CWE T1221), the PhantomBlu campaign departs from the conventional tactics, techniques and procedures (TTPs) commonly associated with NetSupport. RAT distributions.
“Historically, such campaigns have relied more directly on executable files and simpler phishing techniques,” Davidpur wrote. The OLE method demonstrates the campaign’s innovation in blending “sophisticated evasion tactics with social engineering,” he wrote.
Hiding behind legitimacy
In their investigation of the campaign, Perception Point researchers analyzed the delivery method step by step, finding that, like the RAT itself, the payload it hides behind legitimacy in an attempt to fly under the radar.
Specifically, Perceptive Point analyzed the return path and message ID of phishing emails, observing attackers’ use of the “SendInBlue” or Brevo service. Brevo is a legitimate email delivery platform that offers services for marketing campaigns.
“This choice highlights attackers’ preference for leveraging trusted services to mask their malicious intent,” Davidpur wrote.
Avoid compromise
Since PhantomBlu uses email as a method to distribute malware, the usual techniques to avoid compromise, such as instructions and train employees on how to spot and report potentially malicious emails: apply.
As a general rule, people should never click on email attachments unless they come from a trusted source or someone with whom users correspond regularly, experts say. Furthermore, business users especially should report suspicious messages to IT administrators, as they may indicate signs of a malicious campaign.
To further assist administrators in identifying PhantomBlu, Perceptive Point has included in the blog post a comprehensive list of TTPs, indicators of compromise (IOCs), URLs, hostnames, and IP addresses associated with the campaign.