The sophisticated campaign gives attackers wide access under the guise of legitimate remote support software. Credit: JLStock / Shutterstock Hundreds of US employees have been targeted in a new email attack that uses accounting lures to distribute malicious documents that deploy a malicious remote access tool known as NetSupport RAT. The attackers use a combination of detection evasion techniques including Office Object Linking and Embedding (OLE) template manipulation and injection as well as Windows shortcut files with PowerShell code attached. “NetSupport RAT is a spin-off of the legitimate NetSupport Manager, a remote technical support app, exemplifying how powerful IT tools can be misappropriated into malicious software,” researchers from security firm Perception Point said in their report. “Once installed on a victim’s endpoint, NetSupport can monitor behavior, capture keystrokes (keylogger), transfer files, commandeer system resources, and move to other devices within the network — all under the guise of a benign remote support software.” A shift in phishing TTPs The NetSupport RAT has been used in malicious email attacks before, but the new campaign, which researchers have dubbed PhantomBlu, employs tactics, techniques, and procedures (TTPs) that are more sophisticated than those seen in previous operations. The rogue emails impersonate an accounting service and were sent to hundreds of employees from various US-based organizations under the guise of monthly salary reports. The emails were sent through a legitimate email marketing service called Brevo to bypass spam filters and contained password-protected .docx documents. When opening the documents, users were prompted to input the password included in the email message and were then presented with a message inside the document saying the contents cannot be displayed because the document is protected. There are also visual branding elements of the impersonated accounting service and a printer icon that users are instructed to click on after enabling editing mode on the document. The printer icon is a button that uses the OLE feature of Microsoft Word to launch an external .zip file that’s supposed to be a document template. OLE allows Office documents to embed references and links to external documents or objects. “With this step PhantomBlu’s campaign leverages a TTP called OLE template manipulation (Defense Evasion – T1221), exploiting document templates to execute malicious code without detection,” the researchers said. “This advanced technique bypasses traditional security measures by hiding the payload outside the document, only executing upon user interaction.” The .zip archive contains a shortcut (LNK) file which in turn contains obfuscated PowerShell code. The PowerShell code reaches out to an attacker-controlled server to download a second .zip archive that contains a file called Client32.exe, which is the NetSupport RAT client. The server will only deliver the .zip archive if the request comes from a specific user agent that the PowerShell script sets. After downloading the archive, extracting its contents, and executing the file inside, the script also creates a registry key to ensure persistence for the RAT. “By using encrypted .docs to deliver the NetSupport RAT via OLE template and template injection (T1221), PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments,” the researchers said. “Historically, such campaigns have relied more directly on executable files and simpler phishing techniques, which showcases PhantomBlu’s innovation in blending sophisticated evasion tactics with social engineering.”The Perception Point report includes both MITRE TTPs and indicators of compromise such as file hashes and URLs associated with this malicious campaign, and which can be used to create detection signatures. Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe