Analysis Summary

A new phishing effort that targets individuals in Pakistan through the use of a customized backdoor has been brought to light by cybersecurity researchers. The operation, dubbed PHANTOM#SPIKE, is being carried out by unknown threat actors who have used phishing documents relevant to the military to start the infection chain.

Although there are numerous ways to distribute malware these days, the threat actors utilized ZIP files that contained a password-protected payload archive. According to the researchers, the campaign stands out for its simplicity and use of straightforward payloads to get remote access to target computers. The emails include a ZIP file that appears to be meeting minutes for the International Military-Technical Forum Army 2024, which is a real event that is run by the Russian Federation's Ministry of Defense. It is scheduled for mid-August 2024 in Moscow.

Included in the ZIP file are two files: a Microsoft Compiled HTML Help (CHM) file and a hidden executable named "RuntimeIndexer.exe"; the former opens with the meeting minutes and a few images displayed, but when the user clicks anywhere on the document, the bundled binary is silently launched. To retrieve commands that are then executed on the compromised host, the executable is intended to serve as a backdoor that connects to a remote server via TCP.

It not only transmits system data but also runs the commands using cmd.exe, collects the result, and returns the data to the server. This involves using ip-api[.]com to obtain the public IP address using curl, systeminfo, tasklist, and schtasks to set up persistence, among other operations. This backdoor gives the attacker persistent, discrete, and safe access to the compromised system by acting as a command line-based remote access trojan (RAT).

An attacker can take control of an infected system, steal confidential data, or launch more malware payloads by having the ability to remotely execute commands and send the results back to the C2 server. Like many previous campaigns, the PHANTOM#SPIKE campaign starts with a message that contains alluring lures to download the malware. It's imperative to constantly exercise caution and vigilance when it comes to the typical strategies employed by threat actors to distribute unsolicited messages or phishing emails.

Impact

• Unauthorized Access
• Sensitive Data Theft
• Data Exfiltration
• Command Execution

Indicators of Compromise

SHA1

• 8702973b269444ea2f29bd193c614d0d2d08d301
• 5d6eb0b165d9404e40ee011885c1ebae7f4f443f
• 57a8f16b357c42be48275f1b68567973591b0fdd
• a1ac38d5bf93105b419fab226ed796faf4fab4ba
• 291f649bf5bd36ce3c8f275852003a31f9ec478e

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.