For 2 months now, the PhantomCore group has been terrorizing companies with fake documents.
Since March 2024, F. A. C. C. T Threat Intelligence analysts have been recording the activity of the new PhantomDL loader, which is associated with the PhantomCore cyber espionage group, known for its attacks on military-industrial complex organizations since the beginning of the year.
PhantomDL is used to distribute malware via phishing emails containing encrypted archives with malicious files. In one case, the decoy document was disguised as an act of acceptance and transfer of a construction site.
When opening a PDF file in outdated versions of WinRAR, the executable file can be activated. The attack is based on vulnerability CVE-2023-38831. If you use WinRAR version 6.23 or higher, only a legitimate PDF document is opened.
PhantomDL also detects where the internet is being accessed from. If access is made from a non-Russian IP address, the connection is broken. If the connection is successful, the downloader may receive commands to continue downloading malware or shut down.
Over the past month, experts have identified a new PhantomDL sample that does not use obfuscation methods, which made it easier to analyze and allowed us to confirm the connection with the already known PhantomCore activity. According to the F. A. C. C. T study, the use of PhantomDL is part of PhantomCore's strategy to circumvent defense mechanisms and conduct cyber espionage against the Russian military-industrial complex.
Since March 2024, F. A. C. C. T Threat Intelligence analysts have been recording the activity of the new PhantomDL loader, which is associated with the PhantomCore cyber espionage group, known for its attacks on military-industrial complex organizations since the beginning of the year.
PhantomDL is used to distribute malware via phishing emails containing encrypted archives with malicious files. In one case, the decoy document was disguised as an act of acceptance and transfer of a construction site.
When opening a PDF file in outdated versions of WinRAR, the executable file can be activated. The attack is based on vulnerability CVE-2023-38831. If you use WinRAR version 6.23 or higher, only a legitimate PDF document is opened.
PhantomDL also detects where the internet is being accessed from. If access is made from a non-Russian IP address, the connection is broken. If the connection is successful, the downloader may receive commands to continue downloading malware or shut down.
Over the past month, experts have identified a new PhantomDL sample that does not use obfuscation methods, which made it easier to analyze and allowed us to confirm the connection with the already known PhantomCore activity. According to the F. A. C. C. T study, the use of PhantomDL is part of PhantomCore's strategy to circumvent defense mechanisms and conduct cyber espionage against the Russian military-industrial complex.
