Hackers are using a novel phishing technique to send Remote Access Trojans (RATs) to unsuspecting victims.
According to the report, published this Monday, threat actors are using a technique called Object Linking and Embedding (OLE).
This is a Windows feature that allows users to embed and link documents within documents, resulting in composite files with elements from different programs.
New phishing methods
This is according to cybersecurity experts Perception Point, who recently detailed a campaign they dubbed Operation PhantomBlu.
The campaign begins with the usual phishing email, which apparently comes from the accounting department of the victim's company. The emails are sent from a legitimate marketing platform called Brevo, suggesting that the platform has most likely been compromised in some way.
Attached to the email is a “monthly salary report” Word document. Victims who download the file are first asked to enter a password to open it and then double-click a printer icon embedded in the document.
By doing this, the victim executes a ZIP file containing a Windows shortcut file, which executes a PowerShell dropper that deploys NetSupport RAT from a remote server.
“By using encrypted .docs to deliver NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments,” said Ariel Davidpur, author of the report, adding that the updated technique ” shows PhantomBlu's innovation in combining sophisticated evasion tactics with social engineering.”
NetSupport RAT is a weaponized version of NetSupport Manager, a legitimate remote control software, first released in 1989. For years, NetSupport RAT was one of the most widely used remote access Trojans, allowing attackers unlimited access to devices committed. They can then use that access to deploy even more dangerous malware, including data stealers and ransomware.
The best way to protect yourself against these attacks is to be vigilant when receiving emails and only download attachments from verified sources.
