Skip to content Skip to footer

Sophisticated PhantomBlu Phishing Campaign Targets US Organizations with NetSupport RAT

A new highly advanced campaign, “PhantomBlu, ” is currently targeting organizations in the United States. The main goal of this operation is to deploy a remote access (RAT) called NetSupport RAT capable of performing various data-gathering actions on a compromised endpoint. This campaign is unique in that it deviates from the typical delivery mechanism of NetSupport RAT and utilizes a sophisticated method of exploitation. Israeli company Perception Point has identified this technique as OLE (Object Linking and Embedding) template manipulation, which exploits Office document templates and executes malicious code, all while evading detection.

According to security researcher Ariel Davidpur, the attackers use encrypted .doc files to deliver the NetSupport RAT via OLE template and template injection. This is a departure from the typical tactics used in NetSupport RAT deployments and showcases the innovation of the PhantomBlu operation as it combines sophisticated evasion tactics with social engineering. The campaign begins with a email that appears to be from the accounting department, urging recipients to open an attached Word document to view a “monthly salary report.” However, a closer examination of the email headers reveals that the attackers use a legitimate email marketing platform called Brevo (formerly Sendinblue) to send emails.

Upon opening the Word document, the victim is prompted to enter a password provided in the email and enable editing. They are then instructed to double-click on a printer icon embedded in the document to view a salary graph. This action triggers opening a ZIP archive file (“Chart20072007.zip”) containing a shortcut file that serves as a PowerShell dropper. This dropper retrieves and executes a NetSupport RAT binary from a remote server.

In addition to this new campaign, Resecurity has revealed that threat actors are increasingly abusing public cloud services and Web 3.0 data- platforms to generate fully undetectable phishing URLs using off-the-shelf kits. Underground vendors offer these FUD (fully undetectable) links on Telegram for prices starting at $200 per month. These links are secured behind antibot barriers to filter incoming traffic and evade detection. Tools like HeartSender are also used to distribute these FUD links at scale.

This growing trend of using cloud platforms and popular CDNs for phishing attacks highlights the need for organizations to stay vigilant and implement robust security measures to protect against these threats. With innovative techniques and tools, threat actors constantly find new ways to evade detection and compromise sensitive data. Therefore, organizations must stay informed and proactively defend against these attacks.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

- Dade: What is it with this guy?
- Phreak: His parents missed Woodstock, and he's been making up for it since.
Dade & Phreak

Deitasoft © 2024. All Rights Reserved.