Cybersecurity researchers have make clear a brand new phishing marketing campaign that has been recognized as focusing on folks in Pakistan utilizing a customized backdoor.
Dubbed PHANTOM#SPIKE by Securonix, the unknown menace actors behind the exercise have leveraged military-related phishing paperwork to activate the an infection sequence.
“While there are many methods used today to deploy malware, the threat actors made use of ZIP files with a password-protected payload archive contained within,” researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov mentioned in a report shared with The Hacker Information.
The marketing campaign is notable for its lack of sophistication and using easy payloads to attain distant entry to focus on machines.
The e-mail messages come bearing a ZIP archive that purports to be assembly minutes associated to the Worldwide Army-Technical Discussion board Military 2024, a official occasion organized by the Ministry of Protection of the Russian Federation. It is set to be held in Moscow in mid-August 2024.
Current throughout the ZIP file is a Microsoft Compiled HTML Assist (CHM) file and a hidden executable (“RuntimeIndexer.exe”), the previous of which, when opened, shows the assembly minutes in addition to a few photos, however stealthily runs the bundled binary as quickly because the consumer clicks anyplace on the doc.
The executable is designed to operate as a backdoor that establishes connections with a distant server over TCP so as to retrieve instructions which are subsequently run on the compromised host.
Along with passing alongside system info, it executes the instructions by way of cmd.exe, gathers the output of the operation, and exfiltrates it again to the server. This contains working instructions like systeminfo, tasklist, curl to extract the general public IP handle utilizing ip-api[.]com, and schtasks to arrange persistence.
“This backdoor essentially functions as a command line-based remote access trojan (RAT) that provides the attacker with persistent, covert, and secure access to the infected system,” the researchers mentioned.
“The ability to execute commands remotely and relay the results back to the C2 server allows the attacker to control the infected system, steal sensitive information or execute additional malware payloads.”
