Hundreds of US employees have been targeted in a new email attack that uses accounting lures to distribute malicious documents that deploy a malicious remote access tool known as NetSupport RAT. The attackers use a combination of detection evasion techniques including Office Object Linking and Embedding (OLE) template manipulation and injection as well as Windows shortcut files with PowerShell code attached.
“NetSupport RAT is a spin-off of the legitimate NetSupport Manager, a remote technical support app, exemplifying how powerful IT tools can be misappropriated into malicious software,” researchers from security firm Perception Point said in their report. “Once installed on a victim’s endpoint, NetSupport can monitor behavior, capture keystrokes (keylogger), transfer files, commandeer system resources, and move to other devices within the network — all under the guise of a benign remote support software.”
A shift in phishing TTPs
The NetSupport RAT has been used in malicious email attacks before, but the new campaign, which researchers have dubbed PhantomBlu, employs tactics, techniques, and procedures (TTPs) that are more sophisticated than those seen in previous operations. The rogue emails impersonate an accounting service and were sent to hundreds of employees from various US-based organizations under the guise of monthly salary reports. The emails were sent through a legitimate email marketing service called Brevo to bypass spam filters and contained password-protected .docx documents.
When opening the documents, users were prompted to input the password included in the email message and were then presented with a message inside the document saying the contents cannot be displayed because the document is protected. There are also visual branding elements of the impersonated accounting service and a printer icon that users are instructed to click on after enabling editing mode on the document. The printer icon is a button that uses the OLE feature of Microsoft Word to launch an external .zip file that’s supposed to be a document template. OLE allows Office documents to embed references and links to external documents or objects.
“With this step PhantomBlu’s campaign leverages a TTP called OLE template manipulation (Defense Evasion – T1221), exploiting document templates to execute malicious code without detection,” the researchers said. “This advanced technique bypasses traditional security measures by hiding the payload outside the document, only executing upon user interaction.”
The .zip archive contains a shortcut (LNK) file which in turn contains obfuscated PowerShell code. The PowerShell code reaches out to an attacker-controlled server to download a second .zip archive that contains a file called Client32.exe, which is the NetSupport RAT client. The server will only deliver the .zip archive if the request comes from a specific user agent that the PowerShell script sets. After downloading the archive, extracting its contents, and executing the file inside, the script also creates a registry key to ensure persistence for the RAT.
“By using encrypted .docs to deliver the NetSupport RAT via OLE template and template injection (T1221), PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments,” the researchers said. “Historically, such campaigns have relied more directly on executable files and simpler phishing techniques, which showcases PhantomBlu’s innovation in blending sophisticated evasion tactics with social engineering.”
The Perception Point report includes both MITRE TTPs and indicators of compromise such as file hashes and URLs associated with this malicious campaign, and which can be used to create detection signatures.