Rewterz Threat Alert – Novel Phishing Campaign Utilizes Sophisticated Tactic to Deploy NetSupport RAT via Microsoft Office – Active IOCs

Severity

High

Analysis Summary

A new phishing campaign aims to propagate the remote access trojan NetSupport RAT using an advanced Microsoft Office trick to target U.S. entities. Cybersecurity researchers are tracking it by the moniker ‘Operation PhantomBlu’.

By utilizing OLE (Object Linking and Embedding) template modification, the PhantomBlu operation presents a sophisticated exploitation technique that deviates from the standard NetSupport RAT delivery mechanism. This technique utilizes Microsoft Office document templates to execute malicious code covertly to avoid detection. A malicious branch of the legitimate remote desktop program NetSupport Manager, known as NetSupport RAT, gives threat actors the ability to acquire data on a compromised device in various ways.

The initial step is a phishing email with a salary theme that appears to be from the accounting department and requests that recipients open the Microsoft Word document that is attached to view the “monthly salary report.” A more thorough examination of the email message headers, in particular the Return-Path and Message-ID fields, reveals that the attackers send the emails using Brevo (previously Sendinblue), a reputable email marketing platform.

When the Word document is opened, the victim is prompted to authorize editing and input a password found in the email body. After that, they must double-click an embedded printer button in the document to see the salary graph. By doing this, a ZIP archive file named “Chart20072007.zip” is opened. Inside is a Windows shortcut file that may be used as a PowerShell dropper to get and run a NetSupport RAT binary from a remote server.

The cybersecurity analysts said, “By using encrypted .docs to deliver the NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments.”

The development coincides with the revelation that threat actors are increasingly abusing Web 3.0 data-hosting platforms based on the InterPlanetary File System (IPFS) protocol, such as Pinata, and public cloud services like Dropbox, GitHub, IBM Cloud, and Oracle Cloud Storage to create fully undetectable (FUD) phishing URLs using readily available kits. Underground sellers are selling such FUD links on Telegram as part of a subscription plan for as little as $200 per month. To prevent detection, these URLs are additionally protected by antibot walls that filter incoming traffic.

Impact

• Code Execution
• Data Theft

Indicators of Compromise

Domain Name

• yourownmart.com

MD5

• 46f680c51592c5a61143008b00733254
• a2b46c59f6e7e395d479b09464ecdba0

SHA-256

• 94499196a62341b4f1cd10f3e1ba6003d0c4db66c1eb0d1b7e66b7eb4f2b67b6
• 89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1

SHA-1

• a71850038ac0f6b945a9fe6f1363009acc7079f5
• 92c132307dd21189b6d7912ddd934b50e50d1ec1

URL

• http://yourownmart.com/solar.txt
• http://firstieragency.com/depbrndksokkkdkxoqnazneifidmyyjdpji.txt

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.
• Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities a threat actor may have exploited. Also, prioritize patching known exploited vulnerabilities and zero-days.