Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Attackers disguise malicious files as legitimate contracts.
On September 5, 2024, specialists from the F.A.C.C.T. research group recorded a series of new phishing mailings organized by the PhantomCore cyberespionage group. The targets of the attacks were several Russian organizations, including:
New phishing emails
One example of phishing attacks was an email sent from a likely compromised address of a company engaged in the construction and automation of electric power and transport facilities. The subject of the letter stated "Contract for the supply of obr No00694723 dated 09/04/2024". Inside it contained an attachment — an archive with the same name, protected by a password. This attachment format is often used by cybercriminals to disguise themselves as important documents, such as contracts or invoices. An example of the content of the email.
The attachment was an archive that contained two files: one executable, the other a legitimate lure PDF document with the same name. It is noteworthy that the attackers have complicated the password to the archive, making it more complex compared to previous attacks.
Attackers continue to exploit the CVE-2023-38831 vulnerability, which allows an executable file to run when a user opens a PDF document. The vulnerability affects WinRAR versions earlier than 6.23.
Malware PhantomCore.KscDL_trim
The executable file contained in the archive is a malicious program classified as PhantomCore.KscDL_trim. This program is a lightweight version of the PhantomCore.KscDL loader, written in C++ and packaged using the UPX tool. The malware uses the HTTP protocol to communicate with the C2 C2 C&C server at: 185[.] 130[.] 251[.] 55:80.
PhantomCore.KscDL_trim has the following features:
When first launched, the program collects information about the victim's system, including the domain name, IP address, operating system version, and username. This information is transmitted to the server via a POST request, after which the victim's system begins to receive commands to execute. An example of the sequence of commands used to profile a victim.
The commands used by the downloader allow the attackers to download files to the infected system, execute commands on the Windows command line, as well as run files on the victim's device. After each command is executed, the results are sent back to the C2 server.
Source
On September 5, 2024, specialists from the F.A.C.C.T. research group recorded a series of new phishing mailings organized by the PhantomCore cyberespionage group. The targets of the attacks were several Russian organizations, including:
- a Russian IT company that develops software and online cash registers;
- a company engaged in the organization of business trips;
- design bureau;
- Manufacturer of systems and high-tech equipment for wireless communications.
New phishing emails
One example of phishing attacks was an email sent from a likely compromised address of a company engaged in the construction and automation of electric power and transport facilities. The subject of the letter stated "Contract for the supply of obr No00694723 dated 09/04/2024". Inside it contained an attachment — an archive with the same name, protected by a password. This attachment format is often used by cybercriminals to disguise themselves as important documents, such as contracts or invoices. An example of the content of the email.
The attachment was an archive that contained two files: one executable, the other a legitimate lure PDF document with the same name. It is noteworthy that the attackers have complicated the password to the archive, making it more complex compared to previous attacks.
Attackers continue to exploit the CVE-2023-38831 vulnerability, which allows an executable file to run when a user opens a PDF document. The vulnerability affects WinRAR versions earlier than 6.23.
Malware PhantomCore.KscDL_trim
The executable file contained in the archive is a malicious program classified as PhantomCore.KscDL_trim. This program is a lightweight version of the PhantomCore.KscDL loader, written in C++ and packaged using the UPX tool. The malware uses the HTTP protocol to communicate with the C2 C2 C&C server at: 185[.] 130[.] 251[.] 55:80.
PhantomCore.KscDL_trim has the following features:
- downloading and running files from a C2 server;
- execution of arbitrary commands through the Windows command interpreter;
- Round-robin requests to receive new commands with C2.
When first launched, the program collects information about the victim's system, including the domain name, IP address, operating system version, and username. This information is transmitted to the server via a POST request, after which the victim's system begins to receive commands to execute. An example of the sequence of commands used to profile a victim.
The commands used by the downloader allow the attackers to download files to the infected system, execute commands on the Windows command line, as well as run files on the victim's device. After each command is executed, the results are sent back to the C2 server.
Source
