Researchers have uncovered a complicated phishing marketing campaign originating in Russia that deploys the Phantom information-stealing malware through malicious ISO recordsdata.
The assault, dubbed “Operation MoneyMount-ISO,” targets finance and accounting departments explicitly utilizing pretend cost affirmation emails to trick victims into executing the payload.
The marketing campaign primarily focuses on finance, accounting, treasury, and cost departments in Russia, with secondary targets together with procurement, authorized, HR/payroll groups, govt assistants, and Russian-speaking small and medium enterprises.
Preliminary Findings
The assault poses vital dangers, together with credential theft, bill and cost fraud, unauthorized fund transfers, and lateral motion into IT techniques.
The an infection begins with a Russian-language phishing e mail titled “Подтверждение банковского перевода” (Affirmation of Financial institution Switch) despatched from compromised domains.
The message impersonates TorFX Forex Dealer and accommodates a ZIP attachment roughly 1 MB in measurement. When victims open the ZIP file, they discover a malicious ISO file disguised as a respectable financial institution switch affirmation doc.
Upon execution, the ISO file auto-mounts as a digital CD drive, revealing an executable file that seems respectable. The executable hundreds further payloads into reminiscence, together with a DLL named CreativeAI.dll containing encrypted code.
An infection Chain
This DLL decrypts and injects the ultimate model of the Phantom Stealer malware into the system.
Phantom Stealer Capabilities
Phantom Stealer is a complete knowledge theft device with in depth capabilities. The malware options anti-analysis methods that detect virtualized environments and safety instruments, robotically self-destructing if found.
Evaluation of Malicious ISO file
In line with Seqrite, it harvests cryptocurrency pockets knowledge from each browser extensions and desktop purposes, focusing on dozens of identified crypto wallets.
The stealer extracts Discord authentication tokens from browser databases and native Discord installations, validates them by means of Discord’s API, and collects consumer data, together with usernames, emails, and Nitro subscription standing.
Evaluation of Last Payload
It additionally deploys a steady clipboard monitor that captures clipboard contents each second, logging timestamped entries for exfiltration.
Further capabilities embrace a worldwide keystroke logger utilizing low-level Home windows hooks, restoration of saved passwords and bank card knowledge from Chromium-based browsers through SQLite database parsing, and focused file assortment based mostly on predefined standards.
As soon as stolen knowledge is collected, Phantom Stealer packages it right into a ZIP archive that features system metadata, public IP addresses, and configuration toggles.
The malware employs a number of exfiltration channels, together with Telegram bot APIs, Discord webhooks, and FTP servers with non-compulsory SSL help, guaranteeing attackers obtain the stolen data by means of redundant communication strategies.
Organizations ought to implement steady filtering of containerized attachments, deploy memory-behavior monitoring options, and harden e mail safety workflows for finance-facing departments to defend in opposition to these evolving threats.
IOCs
27bc3c4eed4e70ff5a438815b1694f83150c36d351ae1095c2811c962591e1bfEmail4b16604768565571f692d3fa84bda41ad8e244f95fbe6ab37b62291c5f9b3599Подтверждение банковского перевода.zip60994115258335b1e380002c7efcbb47682f644cb6a41585a1737b136e7544f9Подтверждение банковского перевода.iso78826700c53185405a0a3897848ca8474920804a01172f987a18bd3ef9a4fc77HvNC.exe
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
