TLDR:
- A cyberattack campaign called “PhantomBlu” targeted employees in US-based organizations with phishing emails.
- The attackers used social engineering tactics and advanced evasion techniques to deploy malicious code by exploiting Microsoft Office templates.
In the PhantomBlu campaign, attackers sent phishing emails appearing to be from a legitimate accounting service, instructing recipients to download an attached Office Word document. The email contained detailed instructions to access the document, which required the recipients to enter a password and enable editing to view their “salary graph.” This step exploited a legitimate Windows feature, Object Linking and Embedding (OLE), to execute malicious code discreetly. The campaign utilized OLE template manipulation to deliver the NetSupport Remote Access Trojan (RAT) via email, hiding the payload outside the document to bypass security measures. Upon clicking an embedded printer icon in the document, a zip file containing an LNK file opened, leading to the execution of a PowerShell dropper designed to retrieve and execute the NetSupport RAT. The RAT’s configuration files revealed its command and control servers, highlighting the campaign’s communication backbone. The PhantomBlu campaign represents a unique blend of sophisticated evasion tactics and social engineering.