PhantomBlu: A New Phishing Campaign Targeting US Organizations with NetSupport RAT
A recent phishing campaign has emerged, targeting hundreds of employees within US organizations, employing sophisticated tactics to infiltrate systems under the guise of legitimate remote support software. The attackers behind this campaign utilize accounting-themed emails to distribute malicious documents containing the NetSupport Remote Access Tool (RAT), posing a significant threat to cybersecurity.
According to a report by security firm Perception Point, the campaign, dubbed PhantomBlu, employs advanced techniques to evade detection, including Office Object Linking and Embedding (OLE) template manipulation and injection, alongside the use of Windows shortcut files with embedded PowerShell code.
NetSupport RAT, a derivative of the legitimate NetSupport Manager, serves as a potent instrument for cybercriminals once installed on a victim's device. Capable of monitoring behavior, capturing keystrokes, transferring files, and commandeering system resources, this malicious software operates stealthily under the guise of benign remote support software.
PhantomBlu marks a departure from conventional phishing tactics associated with NetSupport RAT deployments, incorporating encrypted .docx files to deliver the malware via OLE template manipulation and template injection. By leveraging sophisticated evasion tactics alongside social engineering, the campaign demonstrates a significant innovation in cybercrime strategies.
The rogue emails impersonate an accounting service, targeting employees across various US-based organizations with the promise of monthly salary reports. Utilizing legitimate email marketing services to bypass spam filters, the emails contain password-protected .docx attachments, prompting recipients to input provided passwords.
Upon opening the documents, users are met with a message stating that the contents cannot be displayed due to document protection. Visual branding elements and a clickable printer icon further enhance the illusion of authenticity, urging users to enable editing mode and interact with the document. However, clicking the icon triggers the execution of malicious code embedded within the document, initiating the download and installation of the NetSupport RAT client.
The researchers at Perception Point have identified the campaign's Tactics, Techniques, and Procedures (TTPs), including OLE template manipulation and PowerShell-based delivery methods. They have also provided indicators of compromise, such as file hashes and URLs associated with the malicious campaign, facilitating the creation of detection signatures to mitigate its impact.
As organizations continue to grapple with evolving cyber threats, awareness of sophisticated phishing tactics like PhantomBlu is crucial to bolstering cybersecurity defenses and safeguarding sensitive data against malicious actors.