A sophisticated phishing campaign has emerged, aiming to infiltrate US organizations by deploying the NetSupport RAT under the guise of legitimate remote support software. According to reports from security firm Perception Point, hundreds of US employees have fallen victim to this new email attack, which employs accounting-themed lures to distribute malicious documents.
The attackers behind the campaign utilize various detection evasion techniques, including Office Object Linking and Embedding (OLE) template manipulation, as well as Windows shortcut files with attached PowerShell code. By leveraging these tactics, they aim to disguise the deployment of the NetSupport RAT, a derivative of the legitimate NetSupport Manager remote technical support application.
Once installed on a victim's endpoint, the NetSupport RAT can carry out various malicious activities, including monitoring behaviour, capturing keystrokes, transferring files, hijacking system resources, and moving laterally within the network. These actions are executed under the guise of benign remote support software, making detection more challenging.
Dubbed PhantomBlu by researchers, this campaign represents a shift in phishing tactics, employing more sophisticated techniques than seen in previous operations. The rogue emails impersonate an accounting service and are distributed to employees across various US-based organizations, masquerading as monthly salary reports.
To evade detection, the emails are sent through a legitimate email marketing service called Brevo, bypassing spam filters. The malicious documents are password-protected .docx files, prompting users to input the password provided in the email. Upon opening the document, users are presented with a message indicating that the contents cannot be displayed due to protection measures.
Further instructions within the document prompt users to click on a printer icon, which launches an external .zip file using the OLE feature of Microsoft Word. This file contains a shortcut (LNK) file with obfuscated PowerShell code. Upon execution, the PowerShell code downloads a second .zip archive from an attacker-controlled server, containing the NetSupport RAT client.
Notably, the server delivers the archive only if the request originates from a specific user-agent set by the PowerShell script. Once downloaded and executed, the script ensures persistence for the RAT by creating a registry key.
This campaign marks a departure from conventional phishing techniques associated with NetSupport RAT deployments, demonstrating the attackers' innovation in blending sophisticated evasion tactics with social engineering. The Perception Point report includes indicators of compromise and MITRE Tactics, Techniques, and Procedures (TTPs) associated with the campaign, aiding in detection and mitigation efforts.
