On March 18, 2024, Perception Point researchers published the technical details of a phishing campaign leveraging Microsoft Office document templates for execution and obfuscation to deliver NetSupportRAT to corporate targets based in the United States.
Community Impact
According to the most recent RH-ISAC Intelligence Trends Summary, Microsoft-related phishing reporting fell slightly, remains a top threat reported by core members of the RH-ISAC community. Members continue to see phishing campaigns leveraging Microsoft products and services at a high volume. As such, members are advised to maintain situational awareness regarding changes to threat actor tactics in leveraging Microsoft services and products, including reviewing the indicators and tactics, techniques, and procedures (TTPs) included below.
Technical Details
According to the report, the “PhantomBlu operation introduces a nuanced exploitation method, diverging from NetSupport RAT’s typical delivery mechanism by leveraging OLE (Object Linking and Embedding) template manipulation, exploiting Microsoft Office document templates to execute malicious code while evading detection. This advanced technique bypasses traditional security systems by hiding the malicious payload outside the document, only executing upon user interaction.”
IOCs
Perception Point researchers have provided the following indicators of compromise (IOCs) to ingest into your security system:
Indicator | Type | Notes |
16e6dfd67d5049ffedb8c55bee6ad80fc0283757bc60d4f12c56675b1da5bf61 | SHA-256 | |
1abf56bc5fbf84805ed0fbf28e7f986c7bb2833972793252f3e358b13b638bb1 | SHA-256 | Docx |
95898c9abce738ca53e44290f4d4aa4e8486398de3163e3482f510633d50ee6c | SHA-256 | Injected ZIP |
d07323226c7be1a38ffd8716bc7d77bdb226b81fd6ccd493c55b2711014c0188 | SHA-256 | LNK file |
94499196a62341b4f1cd10f3e1ba6003d0c4db66c1eb0d1b7e66b7eb4f2b67b6 | SHA-256 | Final ZIP |
89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1 | SHA-256 | Client32[.]exe |
yourownmart[.]com/solar[.]txt | Hostname |
|
firstieragency[.]com/depbrndksokkkdkxoqnazneifidmyyjdpji[.]txt | Hostname |
|
yourownmart[.]com | URL |
|
firstieragency[.]com | URL |
|
parabmasale[.]com | URL |
|
tapouttv28[.]com | URL |
|
192[.]236[.]192[.]48 | IP Addresses |
|
173[.]252[.]167[.]50 | IP Addresses |
|
199[.]188[.]205[.]15 | IP Addresses |
|
46[.]105[.]141[.]54 | IP Addresses |
|
TTPs
Perception Point researchers provided the following MITRE ATT&CK tactics, techniques, and procedures (TTPs):
Remote Access Software (T1219)
Windows Management Instrumentation (T1047)
Hide Artifacts: Hidden Files and Directories (T1564/003)
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547/001)
Hide Artifacts: Hidden Window (T1564/003)
Obfuscated Files or Information: Software Packing (T1406/002)
System Network Connections Discovery (T1049)
Template Injection (T1221) (Novel TTP in PhantomBlu Campaign)
