Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
Earlier this month, Kaspersky Lab security solutions repelled two waves of malicious mailings to Russian organizations – government agencies, manufacturing companies, financial institutions, and energy companies.
In total, the experts counted about 1,000 recipient addresses. The analysis showed that when a malicious attachment is opened or an inserted link is activated, the PhantomDL malware written in Go is downloaded into the system (Kaspersky products detect it with the verdict Backdoor.Win64.PhantomDL).
The fake messages were written on behalf of the target organization's counterparty and imitated ongoing correspondence. The researchers suggested that the senders mailboxes could have been hacked and the letters stolen to make such fakes appear more credible:
The embedded or referenced RAR archive was in most cases password protected. It contained a masking document and a folder of the same name with a file with a double extension - for example, Invoice.pdf .exe.
The latter targets vulnerability CVE-2023-38831 (the developer of WinRAR patched it in August last year). Once the exploit is worked on, PhantomDL is installed on the system, which is used to steal files, as well as download and run additional utilities, including a remote administration tool.
According to experts, this spring, the authors of attacks in Russia distributed DarkWatchman RAT through similar mailings.
Source
In total, the experts counted about 1,000 recipient addresses. The analysis showed that when a malicious attachment is opened or an inserted link is activated, the PhantomDL malware written in Go is downloaded into the system (Kaspersky products detect it with the verdict Backdoor.Win64.PhantomDL).
The fake messages were written on behalf of the target organization's counterparty and imitated ongoing correspondence. The researchers suggested that the senders mailboxes could have been hacked and the letters stolen to make such fakes appear more credible:
The embedded or referenced RAR archive was in most cases password protected. It contained a masking document and a folder of the same name with a file with a double extension - for example, Invoice.pdf .exe.
The latter targets vulnerability CVE-2023-38831 (the developer of WinRAR patched it in August last year). Once the exploit is worked on, PhantomDL is installed on the system, which is used to steal files, as well as download and run additional utilities, including a remote administration tool.
According to experts, this spring, the authors of attacks in Russia distributed DarkWatchman RAT through similar mailings.
Source
