Hackers are using a novel phishing technique to deliver remote access trojans (RAT) to unsuspecting victims, experts have warned.

This is according to cybersecurity experts Perception Point, who recently detailed a campaign they dubbed Operation PhantomBlu using a technique called Object Linking and Embedding (OLE).

This is a Windows feature that allows users to embed and link documents within documents, resulting in compound files with elements from different programs.

New phishing methods

The campaign starts with the usual phishing email, seemingly coming from the victim’s company accounting department. The emails are being sent from a legitimate marketing platform called Brevo, suggesting the platform was most likely compromised in some way.

Attached with the email is a Word “monthly salary report” document. The victims that download the file are first asked to enter a password to open it, and then double-click a printer icon embedded in the doc.

By doing that, the victim runs a ZIP archive file holding a Windows shortcut file, which runs a PowerShell dropper which deploys the NetSupport RAT from a remote server.

“By using encrypted .docs to deliver the NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments,” said Ariel Davidpur, the report’s author, adding the updated technique “showcases PhantomBlu’s innovation in blending sophisticated evasion tactics with social engineering.”

NetSupport RAT is a weaponized version of NetSupport Manager, a legitimate remote control software, first released in 1989. For years now, NetSupport RAT was one of the most commonly used remote access trojans, allowing attackers unabated access to compromised devices. They can then use that access to deploy even more dangerous malware, including infostealers and ransomware.

The best way to protect against these attacks is to be vigilant when receiving emails and only downloading attachments from verified sources.

This article first appeared in TechRadar, written by Sead Fadilpasic on March 19, 2024.