Phishing Campaign Leveraging Microsoft Office Templates to Deliver NetSupportRAT to US-Based Organizations

According to new report, an advanced technique bypasses traditional security systems by hiding the malicious payload outside the document.

On March 18, 2024, Perception Point researchers published the technical details of a phishing campaign leveraging Microsoft Office document templates for execution and obfuscation to deliver NetSupportRAT to corporate targets based in the United States.

Community Impact

According to the most recent RH-ISAC Intelligence Trends Summary, Microsoft-related phishing reporting fell slightly, remains a top threat reported by core members of the RH-ISAC community. Members continue to see phishing campaigns leveraging Microsoft products and services at a high volume. As such, members are advised to maintain situational awareness regarding changes to threat actor tactics in leveraging Microsoft services and products, including reviewing the indicators and tactics, techniques, and procedures (TTPs) included below.

Technical Details

According to the report, the “PhantomBlu operation introduces a nuanced exploitation method, diverging from NetSupport RAT’s typical delivery mechanism by leveraging OLE (Object Linking and Embedding) template manipulation, exploiting Microsoft Office document templates to execute malicious code while evading detection. This advanced technique bypasses traditional security systems by hiding the malicious payload outside the document, only executing upon user interaction.”

IOCs

Perception Point researchers have provided the following indicators of compromise (IOCs) to ingest into your security system:

Indicator

Type

Notes

16e6dfd67d5049ffedb8c55bee6ad80fc0283757bc60d4f12c56675b1da5bf61

SHA-256

Email 

1abf56bc5fbf84805ed0fbf28e7f986c7bb2833972793252f3e358b13b638bb1

SHA-256

Docx

95898c9abce738ca53e44290f4d4aa4e8486398de3163e3482f510633d50ee6c

SHA-256

Injected ZIP

d07323226c7be1a38ffd8716bc7d77bdb226b81fd6ccd493c55b2711014c0188

SHA-256

LNK file

94499196a62341b4f1cd10f3e1ba6003d0c4db66c1eb0d1b7e66b7eb4f2b67b6

SHA-256

Final ZIP

89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1

SHA-256

Client32[.]exe

yourownmart[.]com/solar[.]txt

Hostname

 

firstieragency[.]com/depbrndksokkkdkxoqnazneifidmyyjdpji[.]txt

Hostname

 

yourownmart[.]com

URL

 

firstieragency[.]com

URL

 

parabmasale[.]com

URL

 

tapouttv28[.]com

URL

 

192[.]236[.]192[.]48

IP Addresses

 

173[.]252[.]167[.]50

IP Addresses

 

199[.]188[.]205[.]15

IP Addresses

 

46[.]105[.]141[.]54

IP Addresses

 

 

TTPs

Perception Point researchers provided the following MITRE ATT&CK tactics, techniques, and procedures (TTPs):

Remote Access Software (T1219)

Windows Management Instrumentation (T1047)

Hide Artifacts: Hidden Files and Directories (T1564/003)

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547/001)

Hide Artifacts: Hidden Window (T1564/003)

Modify Registry (T1112)

Obfuscated Files or Information: Software Packing (T1406/002)

System Network Connections Discovery (T1049)

Template Injection (T1221) (Novel TTP in PhantomBlu Campaign)

More Recent Blog Posts