A new phishing campaign is targeting US organizations with the intent to deploy a remote access trojan called NetSupport RAT.
Israeli cybersecurity firm Perception Point is monitoring activity under this name Operation PhantomBlu.
“Operation PhantomBlu introduces a nuanced exploitation method, diverging from the typical NetSupport RAT deployment mechanism by leveraging manipulation of Object Linking and Embedding (OLE) templates, leveraging Microsoft Office document templates to execute malicious code while evading detection, ” said security researcher Ariel Davidpur.
NetSupport RAT is a malicious offshoot of a legitimate remote desktop tool known as NetSupport Manager, which allows threat actors to conduct a series of data collection actions on a compromised endpoint.
The starting point is a salary-themed phishing email that appears to come from the accounting department and invites recipients to open the attached Microsoft Word document to view the “monthly salary report.”
A deeper analysis of the email message headers, specifically the Return-Path and Message-ID fields, shows that the attackers use a legitimate email marketing platform called Brevo (formerly Sendinblue) to send the emails.
The Word document, upon opening, asks the victim to enter the password provided in the body of the email and enable editing, then double-click the printer icon embedded in the document to view the salary graph.
This opens a ZIP archive file (“Chart20072007.zip”) containing a Windows shortcut file, which works as a PowerShell dropper to retrieve and run a NetSupport RAT binary from a remote server.
“By using encrypted .doc files to deliver NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from conventional TTPs commonly associated with NetSupport RAT implementations,” Davidpur said, adding that the updated technique “showcases PhantomBlu’s innovation in combining sophisticated social engineering evasion tactics.”
Increasing abuse of popular cloud and CDN platforms
The development comes as Resecurity revealed that threat actors are increasingly abusing public cloud services such as Dropbox, GitHub, IBM Cloud and Oracle Cloud Storage, as well as InterPlanetary File System (IPFS) protocol-based Web 3.0 data hosting platforms such as Pinata. to generate completely undetectable (FUD) phishing URLs using phishing kits.
Such FUD links are offered on Telegram by underground providers such as BulletProofLink, FUDLINKSHOP, FUDSENDER, ONNX and XPLOITRVERIFIER for prices starting from $200 per month as part of a subscription model. These links are further protected behind anti-bot barriers to filter incoming traffic and evade detection.
Complementing these services are also tools like HeartSender that allow you to deploy generated FUD links at scale. The Telegram group associated with HeartSender has nearly 13,000 subscribers.
“FUD connections are the next step [phishing-as-a-service] and innovation in malware delivery,” the company said, noting that attackers are “repurposing high-reputation infrastructure for malicious use cases.”
“A recent malicious campaign, which leveraged Rhadamanthys Stealer to target the oil and gas sector, used an embedded URL that leveraged an open redirect on legitimate domains, primarily Google Maps and Google Images. This domain nesting technique makes malicious URLs less noticeable and more likely to trap victims.”