New Phishing Attack Employs Sophisticated Microsoft Office Trick to Deploy NetSupport RAT

A recent phishing campaign targeting U.S. organizations has unveiled a novel approach to deploying malware, utilizing a clever Microsoft Office trick to distribute the NetSupport Remote Access Trojan (RAT). Dubbed Operation PhantomBlu by cybersecurity firm Perception Point, this sophisticated attack leverages innovative techniques to evade detection and compromise unsuspecting victims.

The Intricate Exploitation Method

According to Ariel Davidpur, a security researcher at Perception Point, the PhantomBlu operation deviates from conventional delivery methods associated with NetSupport RAT. Instead of relying on typical vectors, the attackers employ a nuanced exploitation method centered around Object Linking and Embedding (OLE) template manipulation within Microsoft Office documents. By exploiting vulnerabilities in Office document templates, the attackers can execute malicious code discreetly, thus circumventing traditional security measures.

NetSupport RAT: A Potent Tool for Threat Actors

NetSupport RAT, a malicious variant of the legitimate NetSupport Manager remote desktop tool, empowers threat actors to execute a wide range of malicious activities on compromised systems. From data exfiltration to remote control, this trojan provides attackers with a suite of capabilities to infiltrate and exploit targeted endpoints.

The Phishing Lure

The phishing campaign initiates with deceptive emails themed around salary information, purportedly originating from the organization's accounting department. Recipients are enticed to open an attached Microsoft Word document, promising access to a monthly salary report. Closer inspection of email headers reveals the use of legitimate email marketing platforms such as Brevo (formerly Sendinblue) to disguise the sender's identity.

The Malicious Payload

Upon opening the Word document, recipients are prompted to enter a provided password and enable editing privileges. Following these instructions triggers the execution of malicious code embedded within the document, ultimately leading to the download and execution of a NetSupport RAT binary from a remote server. The attackers further obfuscate their activities by encapsulating the payload within a ZIP archive, adding an additional layer of complexity to detection efforts.

Evolving Tactics in Cybercrime

The emergence of Operation PhantomBlu underscores the evolving tactics employed by cybercriminals to bypass traditional security measures. In addition to sophisticated phishing campaigns, threat actors are increasingly leveraging public cloud services and content delivery networks (CDNs) to host and distribute malicious payloads. This shift towards utilizing reputable infrastructure for illicit purposes highlights the challenges faced by cybersecurity professionals in detecting and mitigating emerging threats.

Conclusion

As cyber threats continue to evolve in complexity and sophistication, organizations must remain vigilant against phishing attacks and other forms of malicious activity. By implementing robust security measures, including employee awareness training and advanced threat detection technologies, businesses can bolster their defenses and mitigate the risk posed by emerging cyber threats like Operation PhantomBlu.