A new phishing campaign targets US-based organizations with the aim of deploying a remote access Trojan called NetSupport RAT.
Israeli cybersecurity firm Perception Point is tracking activity under this name Operation Phantom Blue Light.
Security researcher Ariel Davidpur said: “The PhantomBlu operation introduces a subtle exploitation method that is different from the typical delivery mechanism of NetSupport RAT. It utilizes an OLE (Object Linking and Embedding) template operation to execute malicious code using Microsoft Office document templates, while Evade detection.”
NetSupport RAT is a malicious fork of the legitimate remote desktop tool known as NetSupport Manager, which allows threat actors to perform a series of data collection operations on infected endpoints.
The starting point was a payroll-themed phishing email that claimed to be from the accounting department and urged recipients to open an attached Microsoft Word document to view a “monthly payroll report.”
Careful analysis of the email headers, specifically the Return-Path and Message-ID fields, revealed that the attackers used a legitimate email marketing platform called Brevo (formerly Sendinblue) to send the emails.
Once the Word file is opened, the victim is instructed to enter the password provided in the body of the email and enable editing, then double-click a printer icon embedded in the file to view a payroll chart.
Doing so opens a ZIP archive (“Chart20072007.zip”) that contains a Windows shortcut file that acts as a PowerShell dropper to retrieve and execute the NetSupport RAT binary from the remote server.
“By using encrypted .docs to deliver NetSupport RAT through OLE templates and template injection, PhantomBlu marks a departure from the traditional TTP typically associated with NetSupport RAT deployments,” said Davidpur, adding that the updated technology “demonstrates PhantomBlu’s innovation in blending sophisticated evasion tactics” with social engineering. “
The growing abuse of cloud platforms and popular CDNs
Resecurity revealed that threat actors are increasingly abusing public cloud services such as Dropbox, GitHub, IBM Cloud and Oracle Cloud Storage, as well as Web 3.0 data hosting platforms such as Pinata based on the Interplanetary File System (IPFS) protocol. Use phishing kits to generate completely undetectable (FUD) phishing URLs.
Underground providers such as BulletProofLink, FUDLINKSHOP, FUDSENDER, ONNX and XPLOITRVERIFIER offer such FUD links on Telegram as part of a subscription model with prices starting from $200 per month. These links are further protected behind an anti-bot barrier to filter incoming traffic and evade detection.
Tools such as HeartSender complement these services and can distribute generated FUD links at scale. The Telegram group associated with HeartSender has nearly 13,000 subscribers.
“FUD links represent the next step [phishing-as-a-service] and malware deployment innovations,” the company said, noting that attackers are “repurposing reputable infrastructure for malicious use cases.”
“A recent malicious campaign exploited Rhadamanthys Stealer to target the oil and gas industry, using an embedded URL that took advantage of open redirects on legitimate domains (primarily Google Maps and Google Images). This domain nesting Technology makes malicious URLs less noticeable and more likely to lure victims.”
