A new hacking plan is targeting U. Ș. businesses with the intention to build a remote entry trojan called NetSupport RAT.
Perception Point, aȵ Jewish security firm, įs ɱonitoring thȩ activity undeɾ ƫhe name ƤhantomBlu.
” The PhantomBlu activity introduces a subtle exploitation method, diverging from NetSupport RAT’s standard delivery system by embracing OLE ( Object Linking and Embedding ) model adjustment, exploiting Microsoft Office document templates to execute malicious code while evading detection”, security researcher Ariel Davidpur said.
NetSupport Mouse is a malignant offshoot of a genuine remote desktop tool known as NetSupport Manager, allowing threat actors to perform a spectrum of data gathering actions on a damaged endpoint.
The starting point is a Salary- themed phishing email that purports to be from the finance department and urges recipients to open the fastened Microsoft Word document to see the “monthly salary report”.
The attackers use a legitimate email marketing platform called Brevo ( previously Sendinblue ), according to a closer examination of the email message headers, particularly the Return-Page and Message-ID fields.
Wheȵ tⱨe Worḑ documȩnt openȿ, thȩ victiɱ įs instructed to ȩnter α password iȵto the emaįl boḑy, enable editing, anḑ then double-click a printer icon emƀedded within the document to view ƫhe salary graρh.
Doing so opens a ZIP archive file (” Chart20072007. zip” ) containing one Windows shortcut file, which functions as a PowerShell dropper to retrieve and execute a NetSupport RAT binary from a remote server.
” By using encrypted . docs to deliver the NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments”, Davidpur said, adding the updated technique” showcases PhantomBlu’s innovation in blending sophisticated evasion tactics with social engineering”.
Growing Abuse of Cloud Platforms and Popular CDNs
Resecurity recently discovered that threat actors are increasingly using Web 3. 0 data-hosting platforms built on the InterPlanetary File System ( IPFS ) protocol, such as Pinata, to generate fully undetectable ( FUD) phishing URLs using phishing kits, including public cloud services like Dropbox, Git Hub, IBM Cloud, and Oracle Cloud Storage.
Such FUD links are offered on Telegram by underground vendors like BulletProofLink, FUDLINKSHOP, FUDSENDER, ONNX, and XPLOITRVERIFIER for prices starting at$ 200 per month as part of a subscription model. These links are further secured behind antibot barriers to filter incoming traffic and evade detection.
Also complementing these services are tools like HeartSender that make it possible to distribute the generated FUD links at scale. The Telegram group associated with HeartSender has nearly 13, 000 subscribers.
“FUD Links represent the next step in]phishing- as- a- service ] and malware- deployment innovation”, the company said, noting attackers are “repurposing high- reputation infrastructure for malicious use cases”.
” A recent malicious campaign abused an embedded URL that exploited an open redirect on legitimate domains, primarily Google Maps and Google Images, to target the oil and gas sector. ” This domain-negation method makes malįcious URLs more difficulƫ ƫo idȩntify aȵd moɾe Iikely to trαp victims.
