Sunday, May 19, 2024

Hackers Exploiting Microsoft Office Templates to Execute Malicious Code

In a cyberattack campaign dubbed “PhantomBlu,” hundreds of employees across various US-based organizations were targeted with phishing emails masquerading as messages from an accounting service.

This campaign represents a significant evolution in the tactics, techniques, and procedures (TTPs) employed by cybercriminals.

They are leveraging social engineering and advanced evasion techniques to deploy malicious code.

The Ingenious Lure: Monthly Salary Reports

The attackers meticulously crafted email messages that appeared to originate from a legitimate accounting service.

They instructed recipients to download an attached Office Word document (.docx) purportedly containing their “monthly salary report.”


Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

The emails included detailed instructions for accessing the password-protected document, exploiting human curiosity and trust to initiate the attack chain.

Email Prompt
Email Prompt

Upon downloading and opening the attached file, targets were prompted to enter a provided password and enable editing to view their “salary graph.”

This step cleverly exploited a legitimate Windows feature, OLE (Object Linking and Embedding), to execute malicious code discreetly.

Password Prompt
Password Prompt

Decoding PhantomBlu: Advanced Evasion in Action

The PhantomBlu campaign utilized a technique known as OLE template manipulation (Defense Evasion – T1221), marking the first recorded instance of this TTP being used to deliver the NetSupport RAT (Remote Access Trojan) via email.

This method exploits document templates to execute malicious code without detection, bypassing traditional security measures by hiding the payload outside the document, which only executes upon user interaction.

Malicious OLE Package

Perception Point security researchers have recently identified a newly surfaced campaign targeting US-based organizations.

Dubbed “PhantomBlu,” the emerging malware campaign employs new TTPs and behaviors to evade detection and deploy the notorious NetSupport RAT. 

Upon clicking the embedded printer icon in the document, an archive .zip file containing an LNK file was opened, leading to the next phase of the attack.

ZIP Containing LNK File
ZIP Containing LNK File

Dissecting the Malware: From Lure to Control

A forensic analysis of the LNK file revealed it as a PowerShell dropper designed to retrieve and execute a script from a specified URL.

The script was heavily obfuscated to conceal its true intentions, which included downloading a secondary ZIP file, unpacking it, and executing the NetSupport RAT.

Examining the LNK File's Code
Examining the LNK File’s Code

The de-obfuscation of the PowerShell script provided insights into the malware’s operations, including creating a new registry key to ensure the malware’s persistence on the victim’s machine.

De-obfuscated PowerShell Script
De-obfuscated PowerShell Script

Further investigation into the secondary URL used by the attackers revealed a user-agent gated payload delivery, which was bypassed to obtain the payload, mirroring the attackers’ approach.

Retrieving the Hidden Content
Retrieving the Hidden Content

The secondary PowerShell script’s execution resulted in the deployment of the NetSupport RAT.

Its configuration files revealed the command and control (C2) servers, highlighting PhantomBlu’s communication backbone and operational directives.

NetSupport RAT's C2 Servers
NetSupport RAT’s C2 Servers

Beyond Evasion: Unraveling PhantomBlu’s Stealth

The PhantomBlu campaign represents a departure from conventional TTPs associated with NetSupport RAT deployments, blending sophisticated evasion tactics with social engineering.

Perception Point’s proprietary anti-evasion model, the Recursive Unpacker, played a crucial role in deconstructing the multi-layered obfuscation and evasion techniques employed by the PhantomBlu threat actors.

PhantomBlu Attack Tree
PhantomBlu Attack Tree


Email 16e6dfd67d5049ffedb8c55bee6ad80fc0283757bc60d4f12c56675b1da5bf61
Injected ZIP95898c9abce738ca53e44290f4d4aa4e8486398de3163e3482f510633d50ee6c
LNK Filed07323226c7be1a38ffd8716bc7d77bdb226b81fd6ccd493c55b2711014c0188
Final ZIP 94499196a62341b4f1cd10f3e1ba6003d0c4db66c1eb0d1b7e66b7eb4f2b67b6

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Hackers Exploiting Docusign With Phishing Attack To Steal Credentials

Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make...

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles