Another Microsoft vulnerability is being used to spread malware

News
By Sead Fadilpašić
published

Hackers were observed abusing Object Linking and Embedding to drop remote access trojans

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

Hackers are using a novel phishing technique to deliver remote access trojans (RAT) to unsuspecting victims, experts have warned.

This is according to cybersecurity experts Perception Point, who recently detailed a campaign they dubbed Operation PhantomBlu using a technique called Object Linking and Embedding (OLE).

This is a Windows feature that allows users to embed and link documents within documents, resulting in compound files with elements from different programs.

New phishing methods

The campaign starts with the usual phishing email, seemingly coming from the victim’s company accounting department. The emails are being sent from a legitimate marketing platform called Brevo, suggesting the platform was most likely compromised in some way.

Attached with the email is a Word “monthly salary report” document. The victims that download the file are first asked to enter a password to open it, and then double-click a printer icon embedded in the doc.

By doing that, the victim runs a ZIP archive file holding a Windows shortcut file, which runs a PowerShell dropper which deploys the NetSupport RAT from a remote server.

"By using encrypted .docs to deliver the NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments," said Ariel Davidpur, the report’s author, adding the updated technique "showcases PhantomBlu's innovation in blending sophisticated evasion tactics with social engineering."

NetSupport RAT is a weaponized version of NetSupport Manager, a legitimate remote control software, first released in 1989. For years now, NetSupport RAT was one of the most commonly used remote access trojans, allowing attackers unabated access to compromised devices. They can then use that access to deploy even more dangerous malware, including infostealers and ransomware.

The best way to protect against these attacks is to be vigilant when receiving emails and only downloading attachments from verified sources.

Via TheHackerNews

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.