A novel phishing endeavor has set its sights on U.S. entities, aiming to deploy the NetSupport RAT, a remote access trojan.
Perception Point, an Israeli cybersecurity firm, is monitoring this campaign, dubbed Operation PhantomBlu.
“Operation PhantomBlu employs a sophisticated exploitation technique, diverging from the usual method of delivering NetSupport RAT by utilizing OLE (Object Linking and Embedding) template manipulation, exploiting Microsoft Office document templates to execute malicious code while evading detection,” explained security analyst Ariel Davidpur.
NetSupport RAT, a malevolent variant of the legitimate NetSupport Manager remote desktop tool, grants threat actors a broad range of data collection capabilities on a compromised endpoint.
Cybersecurity The campaign begins with a phishing email themed around salary matters, purportedly originating from the accounting department, urging recipients to open an attached Microsoft Word document to peruse the “monthly salary report.”
Further scrutiny of the email’s message headers – notably the Return-Path and Message-ID fields – reveals that the perpetrators employ a legitimate email marketing platform known as Brevo (formerly Sendinblue) for dispatching these emails.
Upon opening the Word document, recipients are prompted to input a password provided in the email body and enable editing. Then, by double-clicking on a printer icon embedded in the document, they are led to view the salary graph.
Microsoft Office This action triggers the opening of a ZIP archive file (“Chart20072007.zip”) containing a Windows shortcut file, serving as a PowerShell dropper to fetch and execute a NetSupport RAT binary from a remote server.
“By leveraging encrypted .docs for delivering NetSupport RAT via OLE template and template injection, PhantomBlu deviates from the typical tactics associated with NetSupport RAT deployments,” noted Davidpur, highlighting that this updated approach “exemplifies PhantomBlu’s ingenuity in melding sophisticated evasion tactics with social engineering.”
Rising Exploitation of Cloud Platforms and Prominent CDNs# In a related development, Resecurity disclosed a surge in threat actors exploiting public cloud services such as Dropbox, GitHub, IBM Cloud, and Oracle Cloud Storage, alongside Web 3.0 data-hosting platforms based on the InterPlanetary File System (IPFS) protocol like Pinata. These are utilized to generate fully undetectable (FUD) phishing URLs using readily available kits.
Such FUD links are marketed on Telegram by underground vendors like BulletProofLink, FUDLINKSHOP, FUDSENDER, ONNX, and XPLOITRVERIFIER, with subscription rates starting at $200 per month. These links are fortified behind antibot barriers to sift through incoming traffic and evade detection.
Cybersecurity Augmenting these services are tools like HeartSender, facilitating the widespread dissemination of the generated FUD links. The Telegram group affiliated with HeartSender boasts nearly 13,000 members.
“FUD Links represent the next evolution in phishing-as-a-service and malware deployment,” stated the company, underscoring that attackers are “reappropriating reputable infrastructure for malicious purposes.”
“One recent malicious campaign, utilizing the Rhadamanthys Stealer to target the oil and gas industry, employed an embedded URL exploiting an open redirect on legitimate domains, predominantly Google Maps and Google Images. This technique of domain nesting renders malicious URLs less conspicuous and increases the likelihood of ensnaring victims.”
