Intrusions commence with the delivery of salary-themed phishing emails with a Microsoft Word attachment, which when opened seeks a password to allow editing, as well as double-clicking that then triggers a ZIP archive file with a Windows shortcut file that leads to NetSupport RAT retrieval and execution, according to a report from Perception Point. “By using encrypted .docs to deliver the NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments,”
Source: SC Magazine