A recently identified phishing campaign, known as Operation PhantomBlu, has emerged as a significant threat to U.S. organizations. This sophisticated operation employs a novel approach to deploy the NetSupport RAT, a remote access trojan, by exploiting Microsoft Office’s Object Linking and Embedding (OLE) template manipulation. Led by the Israeli cybersecurity company Perception Point, researchers have highlighted the campaign’s nuanced tactics, indicating a departure from conventional methods associated with RAT deployments.
The attack begins with deceptive emails disguised as salary reports, urging recipients to open attached Microsoft Word documents. These documents, upon opening, prompt users to enter a provided password and enable editing, initiating a sequence that ultimately leads to the execution of the NetSupport RAT binary. By utilizing encrypted .docs and template injection, the PhantomBlu operation showcases a blend of advanced evasion tactics and social engineering, contributing to its effectiveness in circumventing detection measures.
This revelation coincides with a broader trend of cybercriminals exploiting public cloud services and Web 3.0 platforms for phishing activities. Threat actors increasingly leverage platforms like Dropbox, GitHub, and Oracle Cloud Storage to generate undetectable phishing URLs, available through underground vendors for a subscription fee. Moreover, tools like HeartSender facilitate the distribution of these URLs at scale, highlighting a concerning evolution in phishing-as-a-service and malware deployment strategies.
