Researchers from Perception Point identified a new malware campaign, PhantomBlu, targeting US organizations that use novel techniques to deploy NetSupport RAT, a remote access trojan, by exploiting legitimate features of Microsoft Office document templates via OLE manipulation.
It allows the attackers to evade detection and gain control of victim machines for various malicious activities, including keylogging, file transfer, and lateral movement within the network.
Threat actors sent phishing emails with fake monthly salary reports to entice workers into downloading malicious DOCX files that leveraged a legitimate email delivery platform to bypass detection.
Upon opening the DOCX file, users were instructed to enable editing and click an embedded OLE object disguised as a printer icon.
Clicking the icon triggered OLE template manipulation (T1221) to download an archive containing a malicious LNK file, which is the first observed instance of T1221 being used to deliver NetSupport RAT.
Dissecting the Malware: From Lure to Control
Forensic analysis of a LNK file revealed a PowerShell dropper fetching a heavily obfuscated script from a URL, which retrieved another URL, downloaded a ZIP file, and unpacked it to execute the NetSupport RAT.
The script also created a persistence mechanism by adding a registry key for autostart, investigated bypassed user-agent gating on the secondary URL and confirmed the script’s functionality.
The downloaded ZIP contained another PowerShell script that ultimately dropped and executed NetSupport RAT (Client32.exe), revealing its C2 server infrastructure.
According to Perception Point, PhantomBlu delivers NetSupport RAT using a novel method. Encrypted .docs files act as carriers, exploiting OLE template injection (T1221) to deliver the payload.
It bypasses traditional security by hiding the malicious code within the template, requiring user interaction for execution, which marks a shift from past NetSupport RAT campaigns, which relied on basic phishing tactics and executable files.
The URLs include parameters, some reference “.txt” files and also email message details, mentioning “sendinblue.com” and “sender-sib.com” in the message ID and return path, respectively.
The provided information appears to be Indicators of Compromise (IOCs) related to a potential malware campaign, including hashes for various file types (DOCX, ZIP, LNK, and EXE) listed alongside suspicious URLs, hostnames, and IP addresses.
Incorporate ANY.RUN into your company for fast and simple malware analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
Get a personalized demo of ANY.RUN for your security team:
IOCs
Hashes (SHA-256)
Email – 16e6dfd67d5049ffedb8c55bee6ad80fc0283757bc60d4f12c56675b1da5bf61
Docx – 1abf56bc5fbf84805ed0fbf28e7f986c7bb2833972793252f3e358b13b638bb1
Injected ZIP – 95898c9abce738ca53e44290f4d4aa4e8486398de3163e3482f510633d50ee6c
LNK file – d07323226c7be1a38ffd8716bc7d77bdb226b81fd6ccd493c55b2711014c0188
Final ZIP – 94499196a62341b4f1cd10f3e1ba6003d0c4db66c1eb0d1b7e66b7eb4f2b67b6
Client32.exe – 89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1
URLs and Hostnames
yourownmart[.]com/solar[.]txt
firstieragency[.]com/depbrndksokkkdkxoqnazneifidmyyjdpji[.]txt
yourownmart[.]com
firstieragency[.]com
parabmasale[.]com
tapouttv28[.]com
IP Addresses
192[.]236[.]192[.]48
173[.]252[.]167[.]50
199[.]188[.]205[.]15
46[.]105[.]141[.]54