New Phishing Attack Targets U.S. Companies, Uses Sophisticated Techniques

A recent email phishing attack targeting hundreds of U.S. employees deployed a nefarious spin-off of NetSupport Manager, a legit remote technical support tool, CSO writes in an article on its website.

The new campaign, called PhantomBlu uses accounting lures to diffuse the remote access tool known as NetSupport RAT, according to the article, which cites researchers from security firm Perception Point.

“NetSupport RAT is a spin-off of the legitimate NetSupport Manager, a remote technical support app, exemplifying how powerful IT tools can be misappropriated into malicious software,” Perception Point researchers wrote in a report. “Once installed on a victim’s endpoint, NetSupport can monitor behavior, capture keystrokes (keylogger), transfer files, commandeer system resources, and move to other devices within the network — all under the guise of a benign remote support software.”

This isn’t the first use of the NetSupport RAT tool, but it employs new tactics, techniques, and procedures that are a step up in sophistication from previous operations. The phishing emails were sent to employees of U.S.-based companies disguised as monthly salary reports that contain password-protected .docx documents. The emails were routed through a legitimate email marketing service called Brevo, allowing them to bypass spam filters.

Users were asked to input a password included in the email, but then they received a message saying that the contents can’t be displayed because the document is protected. Further prompts use a Microsoft feature that allows Office documents to embed references and links to external documents. The technique bypasses traditional security measures by placing the payload outside the document. It is only executed by user interaction.

The Perception Point report contains MITRE TTPs and indicators of compromise — file hashes and URLs — that are associated with PhantomBlu. They can be used to create detection signatures.