New Phishing Attack Uses Clever Microsoft Office Trick to Deploy NetSupport RAT

A new phishing campaign is targeting U.S. organizations to deploy a remote access trojan called NetSupport RAT. This operation, which introduces a nuanced exploitation method that utilizes OLE template manipulation, is tracked by Israeli cybersecurity company Perception Point as “Operation PhantomBlu”. NetSupport RAT is a malicious spin-off of a legitimate remote desktop tool known as NetSupport Manager, allowing threat actors to conduct a spectrum of data-gathering actions on a compromised endpoint. The initial access attempt is a salary-themed phishing email sent from a legitimate email marketing platform called Brevo that purports to be from the accounting department and urges recipients to open the attached Microsoft Word document to view the "monthly salary report.” When the victim opens the word document and clicks the printer icon embedded in the document, a ZIP file is opened, which contains a shortcut file that acts as a PowerShell dropper for the NetSupport RAT binary.

In the campaign, hundreds of employees in various US-based organizations received email messages seemingly from an accounting service. Historically, such campaigns have relied more directly on executable files and simpler phishing techniques, which showcases PhantomBlu’s innovation in blending sophisticated evasion tactics with social engineering.

Analyst Comments:
Attackers are becoming more sophisticated with their defensive evasion techniques and utilization of legitimate software to masquerade their malicious intentions and increase the success of their phishing attempts. Malware as a service (MaaS) operators are making malware campaigns more available to affiliates than ever. From Reconnaissance to Exfiltration, affiliates can develop entire cyber kill chains with just a few complimenting services.

This campaign marks the first time Template Injection (T1221) (MITRE) has been observed being used as the delivery method for the NetSupport RAT via email. The C2 servers were discovered in the configuration files of the NetSupport RAT. This RAT has the capabilities to stealthily capture keystrokes, transfer files, abuse system resources, and move laterally within the network while Masquerading (MITRE) as a benign remote support software.

Suggested Corrections:
Perception Point security researchers have published the relevant IOCs and TTPs here: