Deceptive Microsoft Office Maneuver Unleashes NetSupport RAT in Latest Phishing Scheme
A recent phishing campaign targets U.S. organizations, aiming to deploy the NetSupport RAT, a remote access trojan. Tracked by Israeli cybersecurity firm Perception Point as Operation PhantomBlu, this campaign employs a sophisticated method by exploiting Microsoft Office's Object Linking and Embedding (OLE) template manipulation to execute malicious code, avoiding detection. NetSupport RAT, derived from the legitimate tool NetSupport Manager, enables threat actors to conduct various data-gathering actions on compromised devices.
The attack begins with a phishing email themed around salary reports, urging recipients to open a Microsoft Word document attached to the email. Analysis of email headers reveals the use of the legitimate email marketing platform Brevo (formerly Sendinblue). Upon opening the Word document and following instructions to view a salary graph, victims unwittingly download a ZIP archive containing a PowerShell dropper, ultimately retrieving and executing the NetSupport RAT binary from a remote server.
This new approach showcases the attackers' innovation in blending evasion tactics with social engineering, departing from conventional methods associated with NetSupport RAT deployments.
Simultaneously, threat actors are increasingly exploiting public cloud services like Dropbox and GitHub, alongside Web 3.0 platforms like Pinata, to create undetectable phishing URLs. These URLs, offered by underground vendors on Telegram, are secured behind antibot barriers to evade detection. Tools like HeartSender facilitate the distribution of these URLs at scale. Furthermore, attackers repurpose reputable infrastructure, such as Google Maps and Google Images, to host malicious URLs, making them less conspicuous and more likely to ensnare victims.
Source: https://thehackernews.com/2024/03/new-phishing-attack-uses-clever.html