Employees at US-based organizations are being targeted with emails delivering NetSupport RAT malware via “nuanced” exploitation and by using an advanced detection evasion method.
The malware campaign
The campaign, dubbed PhantomBlu, takes the form of email messages purportedly coming from a legitimate accounting service.
The attackers are leveraging a legitimate email delivery platform, “SendInBlue” or Brevo service, to evade detection.
The phishing emails prompts recipients to download an attached Office Word file (.docx) to view their “monthly salary report”.
The PhantomBlu phishing email. (Source: Perception Point)
After downloading the file, victims are instructed to enter the provided password, click “enable editing”, and then double-click a printer image to view the “salary graph.”
But the clickable printer image is actually an Object Linking and Embedding (OLE) package, which is a Microsoft Windows feature that allows data and object sharing between applications.
Clicking on the printer icon triggers OLE template manipulation and opens an archived .zip file containing a single LNK file: a PowerShell dropper that retrieves and executes a script, which contains – among other things – an executable for the NetSupport RAT and a registry key designed to assure its persistence.
“This advanced technique bypasses traditional security measures by hiding the payload outside the document, only executing upon user interaction,” Perception Point researchers noted.
The NetSupport RAT
The NetSupport RAT is based on the legitimate remote desktop tool NetSupport Manager. It’s commonly used by attackers to infiltrate systems to set the stage for future attacks.
“Once installed on a victim’s endpoint, NetSupport can monitor behavior, capture keystrokes (keylogger), transfer files, commandeer system resources, and move to other devices within the network – all under the guise of a benign remote support software,” the researchers said.
(Other?) attackers have previously been spotted exploiting a vulnerability (CVE-2023-36025) in the Windows SmartScreen anti-phishing and anti-malware component to deliver the NetSupport RAT.