A malicious email campaign is targeting hundreds of Microsoft Office users in US-based organizations to deliver a remote access trojan that evades detection, partially by showing up as legitimate software.
Threat actors previously have used the RAT to footprint systems before delivering ransomware on them.
NetSupport RAT's Evasive OLE Delivery Method The campaign represents a novel delivery method for NetSupport RAT via manipulation of Object Linking and Embedding templates.
The printer image is actually an OLE package, a legitimate feature in Microsoft Windows that allows embedding and linking to documents and other objects.
Via OLE template manipulation, the threat actors exploit document templates to execute malicious code without detection by hiding the payload outside of the document.
The campaign is the first time this process was used in an email to delivery NetSupport RAT, according to Perceptive Point.
Doc files to deliver the NetSupport RAT via OLE template and template injection, the PhantomBlu campaign departs from the conventional tactics, techniques, and procedures commonly associated with NetSupport RAT deployments.
Hiding Behind Legitimacy In their investigation of the campaign, the Perception Point researchers dissected the delivery method step by step, discovering that, like the RAT itself, the payload hides behind legitimacy in an effort to fly under the radar.
Brevo is a legitimate email delivery platform that offers services for marketing campaigns.
Avoiding Compromise Since PhantomBlu uses email as its method to deliver malware, the usual techniques to avoid compromise - such as instructing and training employees about how to spot and report potentially malicious emails - apply.
As a general rule, people should never click on email attachments unless they come from a trusted source or someone that users correspond with regularly, experts say.
Corporate users especially should report suspicious messages to IT administrators, as they may indicate signs of a malicious campaign.
To further assist admins in identifying PhantomBlu, Perceptive Point included a comprehensive list of TTPs, indicators of compromise, URLs and hostnames, and IP addresses associated with the campaign in the blog post.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 19 Mar 2024 14:55:10 +0000