A new malware loader dubbed PhantomVAI has been identified in global phishing operations, distributing a range of stealers and remote access trojans (RATs) across compromised systems. This sophisticated loader mimics legitimate software, utilizing process hollowing to inject harmful payloads into Windows processes.
Phishing Campaigns and Global Impact
The PhantomVAI loader targets users worldwide through phishing tactics embedded in malicious emails and links. Once activated, the loader retrieves remote payloads and injects them into genuine Windows processes, significantly complicating their detection by security systems.
Notably, security researchers have reported this loader under various names across different organizations, causing confusion within the cybersecurity community regarding its exact nature and capabilities.
Technical Insights and Execution Mechanisms
Key to PhantomVAI’s operation is its use of a RunPE utility known as “Mandark,” originally developed by a HackForums user. This utility enables process hollowing by creating a suspended process, unmapping its memory, and injecting malicious code, all while maintaining a connection to its origin through the namespace “hackforums.gigajew.”
The loader exploits version 2.11.0.0 of the Microsoft Windows Task Scheduler library, extracting necessary data from payload headers and initiating a host process. It allocates memory with permissions to execute malicious payloads by injecting PE headers and sections.
Loader-as-a-Service Model and Widespread Attacks
The threat appears to operate under a loader-as-a-service model, as indicated by the diversity of payloads and the acceptance of arbitrary URLs as arguments. This model allows various threat actors to employ the same infrastructure for different malicious campaigns, enhancing the global spread of these attacks.
Researchers have identified critical shared features across documented instances, including the use of the “VAI” method and Portuguese strings, as well as disguising the loader as “Microsoft.Win32.TaskScheduler.dll” from a legitimate GitHub project.
Security analysts continue to study PhantomVAI, noting its capacity to deliver well-known threats like Remcos, XWorm, AsyncRAT, DarkCloud, and SmokeLoader across different regions.
Stay informed on the latest cybersecurity developments by following us on Google News, LinkedIn, and X. Set CSN as a preferred source in Google for instant updates.
