A malicious email campaign is targeting hundreds of Microsoft Office users in US-based organizations to deliver a remote access trojan (RAT) that evades detection, partially by showing up as legitimate software.

In a campaign dubbed “PhantomBlu” by researchers at Perception Point, attackers impersonate an accounting service in email messages that invite people to download a Microsoft Office Word file, purportedly to view their “monthly salary report.” Targets receive detailed instructions for accessing the password-protected “report” file, which ultimately delivers the notorious NetSupport RAT, malware spun off from the legitimate NetSupport Manager, a legitimately useful remote technical support tool. Threat actors previously have used the RAT to footprint systems before delivering ransomware on them.

“Engineered for stealthy surveillance and control, it transforms remote administration into a platform for cyber attacks and data theft,” Perception Point Web security expert Ariel Davidpur revealed in a blog post published this week.

Once installed on a victim’s endpoint, NetSupport can monitor behavior, capture keystrokes, transfer files, take over system resources, and move to other devices within the network, “all under the guise of a benign remote support software,” he wrote.

NetSupport RAT’s Evasive OLE Delivery Method

The campaign represents a novel delivery method for NetSupport RAT via manipulation of Object Linking and Embedding (OLE) templates. It’s a “nuanced exploitation method” that uses legitimate Microsoft Office document templates to execute malicious code while evading detection, Davidpur wrote. 

If a user downloads the.docx file attached to the campaign’s messages and uses the accompanying password to access it, the content of the document further instructs targets to click “enable editing” and then to click the image of a printer embedded on the document in order to view their “salary graph.”

The printer image is actually an OLE package, a legitimate feature in Microsoft Windows that allows embedding and linking to documents and other objects. “Its legitimate use enables users to create compound documents with elements from different programs,” Davidpur wrote.

Via OLE template manipulation, the threat actors exploit document templates to execute malicious code without detection by hiding the payload outside of the document. The campaign is the first time this process was used in an email to delivery NetSupport RAT, according to Perceptive Point.

“This advanced technique bypasses traditional security systems by hiding the malicious payload outside the document, only executing upon user interaction,” Davidpur explained.

Indeed, by using encrypted .doc files to deliver the NetSupport RAT via OLE template and template injection (CWE T1221), the PhantomBlu campaign departs from the conventional tactics, techniques, and procedures (TTPs) commonly associated with NetSupport RAT deployments.

“Historically, such campaigns have relied more directly on executable files and simpler phishing techniques,” Davidpur wrote. The OLE method demonstrates the campaign’s innovation to blend “sophisticated evasion tactics with social engineering,” he wrote.

Hiding Behind Legitimacy

In their investigation of the campaign, the Perception Point researchers dissected the delivery method step by step, discovering that, like the RAT itself, the payload hides behind legitimacy in an effort to fly under the radar.

Specifically, Perceptive Point analyzed the return path and message ID of the phishing emails, observing the attackers’ use of the “SendInBlue” or Brevo service. Brevo is a legitimate email delivery platform that offers services for marketing campaigns.

“This choice underscores the attackers’ preference for leveraging reputable services to mask their malicious intent,” Davidpur wrote.

Avoiding Compromise

Since PhantomBlu uses email as its method to deliver malware, the usual techniques to avoid compromise — such as instructing and training employees about how to spot and report potentially malicious emails — apply.

As a general rule, people should never click on email attachments unless they come from a trusted source or someone that users correspond with regularly, experts say. Moreover, corporate users especially should report suspicious messages to IT administrators, as they may indicate signs of a malicious campaign.

To further assist admins in identifying PhantomBlu, Perceptive Point included a comprehensive list of TTPs, indicators of compromise (IOCs), URLs and hostnames, and IP addresses associated with the campaign in the blog post.

This article first appeared in Dark Reading, written by Elizabeth Montalbano on March 19, 2024.