March 19, 2024 at 02:15AM
A new phishing campaign dubbed Operation PhantomBlu is using a sophisticated technique to deploy NetSupport RAT, targeting U.S. organizations with salary-themed phishing emails and exploiting Microsoft Office document templates. Additionally, threat actors are increasingly abusing public cloud services and data-hosting platforms to generate undetectable phishing URLs, sold on underground platforms.
Key Takeaways from the Meeting Notes:
1. A new phishing campaign is targeting U.S. organizations with the intent to deploy a remote access trojan called NetSupport RAT. The campaign, known as Operation PhantomBlu, utilizes sophisticated social engineering techniques to evade detection and deliver the malware.
2. The attackers use a legitimate email marketing platform called Brevo (formerly Sendinblue) to send Salary-themed phishing emails, which contain malicious Microsoft Word documents with a payload designed to drop and execute the NetSupport RAT binary from a remote server.
3. Threat actors are increasingly abusing public cloud services and Web 3.0 data-hosting platforms to generate fully undetectable phishing URLs using phishing kits. These “FUD” links are offered on Telegram by underground vendors for prices starting at $200 per month as part of a subscription model.
4. Tools like HeartSender make it possible to distribute the generated FUD links at scale, and attackers are repurposing high-reputation infrastructure for malicious use cases.
5. Malicious campaigns are leveraging techniques such as domain-nesting to make the malicious URLs less noticeable and more likely to entrap victims.
Overall, the meeting notes highlighted the evolving and sophisticated nature of cyber threats, emphasizing the importance of staying vigilant and adopting robust security measures to protect against social engineering and phishing attacks.