Threat actors are luring employees across organizations in the US with a phishing campaign dubbed “PhantomBlu,” which is masquerading as a message from an accounting service.
A significant evolution in the tactics, techniques, and procedures (TTPs) employed by cybercriminals leveraging social engineering and advanced evasion techniques to deploy malicious code.
The attackers crafted the email messages that appeared to originate from a legitimate accounting service with an instruction to the recipients to download an attached Office Word document (.docx) purportedly containing their “monthly salary report.”
Upon downloading and opening the attached file, targets were prompted to enter a provided password and enable editing to view their “salary graph” exploiting a legitimate Windows feature, OLE (Object Linking and Embedding), to execute malicious code discreetly.
The PhantomBlu campaign utilized a technique known as OLE template manipulation (Defense Evasion – T1221), marking the first recorded instance of this TTP being used to deliver the NetSupport RAT via email.
The PhantomBlu campaign represents a departure from conventional TTPs associated with NetSupport RAT deployments, blending sophisticated evasion tactics with social engineering that vary from defense evasion, obfuscation, new registry key creation for persistence
Indicators of Compromise
- 16e6dfd67d5049ffedb8c55bee6ad80fc0283757bc60d4f12c56675b1da5bf61
- 1abf56bc5fbf84805ed0fbf28e7f986c7bb2833972793252f3e358b13b638bb1
- 95898c9abce738ca53e44290f4d4aa4e8486398de3163e3482f510633d50ee6c
- d07323226c7be1a38ffd8716bc7d77bdb226b81fd6ccd493c55b2711014c0188
- 94499196a62341b4f1cd10f3e1ba6003d0c4db66c1eb0d1b7e66b7eb4f2b67b6
- 89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1
