Operation PhantomBlu: Attackers Utilising Weaponized MS Office Doc to Hack Windows

Researchers from Perception Point identified a new malware campaign, PhantomBlu, targeting US organizations that use novel techniques to deploy NetSupport RAT, a remote access trojan, by exploiting legitimate features of Microsoft Office document templates via OLE manipulation. 

It allows the attackers to evade detection and gain control of victim machines for various malicious activities, including keylogging, file transfer, and lateral movement within the network. 

Threat actors sent phishing emails with fake monthly salary reports to entice workers into downloading malicious DOCX files that leveraged a legitimate email delivery platform to bypass detection. 

Upon opening the DOCX file, users were instructed to enable editing and click an embedded OLE object disguised as a printer icon. 

 Targets are prompted to enter the password “1” and to click “Enable Editing.” 

Clicking the icon triggered OLE template manipulation (T1221) to download an archive containing a malicious LNK file, which is the first observed instance of T1221 being used to deliver NetSupport RAT. 

Dissecting the Malware: From Lure to Control

Forensic analysis of a LNK file revealed a PowerShell dropper fetching a heavily obfuscated script from a URL, which retrieved another URL, downloaded a ZIP file, and unpacked it to execute the NetSupport RAT. 

Examining the link’s code

The script also created a persistence mechanism by adding a registry key for autostart, investigated bypassed user-agent gating on the secondary URL and confirmed the script’s functionality. 

Obfuscated PowerShell extracted from the URL

The downloaded ZIP contained another PowerShell script that ultimately dropped and executed NetSupport RAT (Client32.exe), revealing its C2 server infrastructure.  

the NetSupport RAT’s C2 servers

According to Perception Point, PhantomBlu delivers NetSupport RAT using a novel method. Encrypted .docs files act as carriers, exploiting OLE template injection (T1221) to deliver the payload. 

PhantomBlu “Attack Tree” unpacked by Perception Point’s advanced detection engines

It bypasses traditional security by hiding the malicious code within the template, requiring user interaction for execution, which marks a shift from past NetSupport RAT campaigns, which relied on basic phishing tactics and executable files. 

The URLs include parameters, some reference “.txt” files and also email message details, mentioning “sendinblue.com” and “sender-sib.com” in the message ID and return path, respectively.

The provided information appears to be Indicators of Compromise (IOCs) related to a potential malware campaign, including hashes for various file types (DOCX, ZIP, LNK, and EXE) listed alongside suspicious URLs, hostnames, and IP addresses. 

Document

Incorporate ANY.RUN into your company for fast and simple malware analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

Get a personalized demo of ANY.RUN for your security team:

IOCs

Hashes (SHA-256)

Email – 16e6dfd67d5049ffedb8c55bee6ad80fc0283757bc60d4f12c56675b1da5bf61

Docx – 1abf56bc5fbf84805ed0fbf28e7f986c7bb2833972793252f3e358b13b638bb1

Injected ZIP – 95898c9abce738ca53e44290f4d4aa4e8486398de3163e3482f510633d50ee6c

LNK file – d07323226c7be1a38ffd8716bc7d77bdb226b81fd6ccd493c55b2711014c0188

Final ZIP – 94499196a62341b4f1cd10f3e1ba6003d0c4db66c1eb0d1b7e66b7eb4f2b67b6

Client32.exe – 89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1

URLs and Hostnames

yourownmart[.]com/solar[.]txt

firstieragency[.]com/depbrndksokkkdkxoqnazneifidmyyjdpji[.]txt

yourownmart[.]com

firstieragency[.]com

parabmasale[.]com

tapouttv28[.]com

IP Addresses

192[.]236[.]192[.]48

173[.]252[.]167[.]50

199[.]188[.]205[.]15

46[.]105[.]141[.]54

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.