Perception Point, an Israeli cybersecurity firm, has unveiled a sophisticated phishing campaign aimed at United States organizations, deploying a notorious remote access trojan (RAT) known as NetSupport RAT. The operation, dubbed “Operation PhantomBlu,” represents a significant shift in the method of delivering the malware, employing a nuanced exploitation technique that diverges from the traditional deployment mechanisms associated with NetSupport RAT. According to Ariel Davidpur, a security researcher at Perception Point, the attackers have manipulated OLE (Object Linking and Embedding) templates within Microsoft Office document templates to execute malicious code, effectively evading detection.
Understanding NetSupport RAT and Its Deployment
NetSupport RAT is a malicious variant of the legitimate remote desktop tool, NetSupport Manager. This malware allows attackers to perform a wide array of data-gathering activities on infected endpoints. The infection process begins with a phishing email, disguised as a communication from the accounting department, urging recipients to open an attached Microsoft Word document purportedly containing their monthly salary report. Upon opening the document, victims are prompted to enter a password provided in the email and to enable editing, which leads to the execution of a Windows shortcut file acting as a PowerShell dropper. This dropper then retrieves and executes the NetSupport RAT binary from a remote server.
Innovative Techniques and Evasion Tactics
Davidpur highlights the innovative approach taken by Operation PhantomBlu, stating, “By using encrypted .docs to deliver the NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments“. This updated technique showcases the operation’s innovation in blending sophisticated evasion tactics with social engineering. Furthermore, the campaign utilizes cloud services such as IBM Cloud, Dropbox, Oracle Cloud Storage, GitHub, and Web 3.0 data-hosting platforms based on the InterPlanetary File System protocol to generate FUD (fully undetectable) URLs. These URLs, secured behind antibot barriers, are distributed through phishing kits available on Telegram for a subscription fee, making them undetectable to traditional security measures.
In light of these sophisticated phishing campaigns, it is crucial for individuals and organizations to exercise caution when dealing with unknown emails, especially those containing attachments. The blending of advanced technical evasion tactics with social engineering underscores the evolving nature of cyber threats and the need for continuous vigilance and updated security measures to protect sensitive information.
