Israeli cybersecurity company Perception Point has uncovered details of a new phishing campaign targeting American organizations. The campaign, known as Operation New-New-And, aims to plant a Trojan program for remote access called Netsuport Rat in a scheme referred to as Phantomblu.
What sets this operation apart is the hackers’ manipulation of Microsoft Office documents, allowing them to execute malicious code while evading detection.
Netsuport Rat is a malicious variant of the legitimate remote desktop tool Netsuport Manager, enabling attackers to harvest sensitive data from infected devices.
The phishing attack commences with a deceptive email purporting to be from the accounting department, discussing salary matters. Recipients are instructed to open a Word document attached to the email to view a purported “monthly salary report.”
Within the document are guidelines for entering a password from the email body, activating editing mode, and clicking twice on a printer icon to view the salary schedule. Clicking on the printer icon triggers the launch of a ZIP archive containing a malicious payload. Executing this payload ultimately results in the download and installation of Netsuport Rat on the target device.
Researchers also highlight the increasing misuse of cloud platforms and popular content delivery networks (CDN) to deploy highly deceptive phishing links. Cybercriminals often leverage phishing sets available for purchase on Telegram for $200 per month, offering sophisticated anonymity and evasion of bot detection mechanisms.
These advancements in phishing tactics underscore the ever-evolving landscape of cyber threats, as attackers continually adapt their malicious infrastructure to outsmart existing security measures and enhance the effectiveness of their campaigns.