New phishing campaign targets US organizations with NetSupport RAT
- by nlqip
Hundreds of US employees have been targeted in a new email attack that uses accounting lures to distribute malicious documents that deploy a malicious remote access tool known as NetSupport RAT. The attackers use a combination of detection evasion techniques including Office Object Linking and Embedding (OLE) template manipulation and injection as well as Windows shortcut files with PowerShell code attached.
“NetSupport RAT is a spin-off of the legitimate NetSupport Manager, a remote technical support app, exemplifying how powerful IT tools can be misappropriated into malicious software,” researchers from security firm Perception Point said in their report. “Once installed on a victim’s endpoint, NetSupport can monitor behavior, capture keystrokes (keylogger), transfer files, commandeer system resources, and move to other devices within the network — all under the guise of a benign remote support software.”
A shift in phishing TTPs
The NetSupport RAT has been used in malicious email attacks before, but the new campaign, which researchers have dubbed PhantomBlu, employs tactics, techniques, and procedures (TTPs) that are more sophisticated than those seen in previous operations. The rogue emails impersonate an accounting service and were sent to hundreds of employees from various US-based organizations under the guise of monthly salary reports. The emails were sent through a legitimate email marketing service called Brevo to bypass spam filters and contained password-protected .docx documents.
When opening the documents, users were prompted to input the password included in the email message and were then presented with a message inside the document saying the contents cannot be displayed because the document is protected. There are also visual branding elements of the impersonated accounting service and a printer icon that users are instructed to click on after enabling editing mode on the document. The printer icon is a button that uses the OLE feature of Microsoft Word to launch an external .zip file that’s supposed to be a document template. OLE allows Office documents to embed references and links to external documents or objects.
“With this step PhantomBlu’s campaign leverages a TTP called OLE template manipulation (Defense Evasion – T1221), exploiting document templates to execute malicious code without detection,” the researchers said. “This advanced technique bypasses traditional security measures by hiding the payload outside the document, only executing upon user interaction.”
The .zip archive contains a shortcut (LNK) file which in turn contains obfuscated PowerShell code. The PowerShell code reaches out to an attacker-controlled server to download a second .zip archive that contains a file called Client32.exe, which is the NetSupport RAT client. The server will only deliver the .zip archive if the request comes from a specific user agent that the PowerShell script sets. After downloading the archive, extracting its contents, and executing the file inside, the script also creates a registry key to ensure persistence for the RAT.
Hundreds of US employees have been targeted in a new email attack that uses accounting lures to distribute malicious documents that deploy a malicious remote access tool known as NetSupport RAT. The attackers use a combination of detection evasion techniques including Office Object Linking and Embedding (OLE) template manipulation and injection as well as Windows…
Recent Posts
- Windows 10 KB5046714 update fixes bug preventing app uninstalls
- Eight Key Takeaways From Kyndryl’s First Investor Day
- QNAP pulls buggy QTS firmware causing widespread NAS issues
- N-able Exec: ‘Cybersecurity And Compliance Are A Team Sport’
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’