Researchers at Perception Point have discovered a new malware campaign dubbed PhantomBlu, which targets US organizations. The campaign utilizes innovative methods to deploy the NetSupport RAT (Remote Access Trojan) by exploiting legitimate features of Microsoft Office document templates through OLE manipulation.
This tactic enables attackers to bypass detection and take control of victim machines for nefarious purposes such as keylogging, file transfer, and lateral movement within the network.
Operation PhantomBlu
Threat actors distributed phishing emails containing fabricated monthly salary reports to lure employees into downloading malicious DOCX files. These files utilized a legitimate email delivery platform to evade detection.
Upon opening the DOCX file, users were prompted to enable editing and click on an embedded OLE object disguised as a printer icon.
Upon clicking the icon, OLE template manipulation (T1221) was initiated, leading to the download of an archive containing a malicious LNK file. This marks the first observed instance of T1221 being utilized to deliver NetSupport RAT.
A forensic analysis of the LNK file uncovered a PowerShell dropper fetching a heavily obfuscated script from a URL. This script then retrieved another URL, downloaded a ZIP file, and unpacked it to execute the NetSupport RAT.
The script additionally established a persistence mechanism by adding a registry key for autostart, bypassed user-agent gating on the secondary URL, and confirmed the script’s functionality.
The ZIP file contained another PowerShell script that dropped and executed NetSupport RAT (Client32.exe), revealing its command-and-control (C2) server infrastructure.
Perception Point reports that PhantomBlu delivers NetSupport RAT via a novel method using encrypted .doc files as carriers, exploiting OLE template injection (T1221) to deliver the payload.
It bypasses traditional security by embedding the malicious code within the template, requiring user interaction for execution, marking a shift from past NetSupport RAT campaigns relying on basic phishing tactics and executable files. The provided information includes Indicators of Compromise (IOCs) related to the potential malware campaign, listing hashes for various file types (DOCX, ZIP, LNK, and EXE) alongside suspicious URLs, hostnames, and IP addresses.
IOCs
Hashes (SHA-256)
Email – 16e6dfd67d5049ffedb8c55bee6ad80fc0283757bc60d4f12c56675b1da5bf61
Docx – 1abf56bc5fbf84805ed0fbf28e7f986c7bb2833972793252f3e358b13b638bb1
Injected ZIP – 95898c9abce738ca53e44290f4d4aa4e8486398de3163e3482f510633d50ee6c
LNK file – d07323226c7be1a38ffd8716bc7d77bdb226b81fd6ccd493c55b2711014c0188
Final ZIP – 94499196a62341b4f1cd10f3e1ba6003d0c4db66c1eb0d1b7e66b7eb4f2b67b6
Client32.exe – 89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1
URLs and Hostnames
yourownmart[.]com/solar[.]txt
firstieragency[.]com/depbrndksokkkdkxoqnazneifidmyyjdpji[.]txt
yourownmart[.]com
firstieragency[.]com
parabmasale[.]com
tapouttv28[.]com
IP Addresses
192[.]236[.]192[.]48
173[.]252[.]167[.]50
199[.]188[.]205[.]15
46[.]105[.]141[.]54
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment