Cybercriminals have ingeniously misused a popular productivity tool to distribute malware across different platforms. By leveraging the Shell Commands plugin in Obsidian, attackers have been executing harmful code on users’ systems without needing to exploit any software vulnerabilities.
Targeting Financial and Cryptocurrency Sectors
The campaign, identified as REF6598, specifically aims at individuals in the financial and cryptocurrency industries. It begins with a sophisticated social engineering tactic where attackers impersonate representatives from a venture capital firm and contact potential victims through LinkedIn.
Once communication is established, the conversation shifts to a Telegram chat involving multiple fake partners to enhance credibility. Victims are then instructed to use Obsidian, portrayed as the firm’s internal management tool, and are given credentials to access a cloud-hosted vault controlled by the attacker.
Technical Details of the Attack
Elastic Security Labs researchers discovered the campaign after noticing a suspicious PowerShell execution with Obsidian as the parent process. Researchers Salim Bitam, Samir Bousseaden, and Daniel Stepanic linked the activity back to the Obsidian application, excluding third-party DLL sideloading or JavaScript injection.
The investigation revealed that the Shell Commands plugin, embedded in the malicious vault, was set to execute attacker-specified shell commands once the vault was accessed, requiring no further action from the victim.
Cross-Platform Attack Mechanism
The attack affects both Windows and macOS systems. On Windows, the attack chain culminates in the deployment of a previously undocumented RAT named PHANTOMPULSE, which includes capabilities like keylogging and privilege escalation.
For macOS, a concealed AppleScript dropper along with a Telegram-based fallback mechanism is used for command-and-control communication. Both attack paths effectively camouflage themselves within standard application behavior, complicating traditional detection methods.
Upon opening the attacker-controlled vault and enabling plugin sync, the trojanized plugin’s data.json configuration file downloads and initiates execution. In Windows, Base64-encoded PowerShell scripts are executed to download a 64-bit executable called syncobs.exe, reporting each step to the command server using color-coded messages.
Recommendations for Security Teams
The final payload, PHANTOMPULL, decrypts its AES-256-CBC-encrypted payload in-memory, avoiding traditional file-based detection. PHANTOMPULSE employs a unique C2 resolution technique using public Ethereum blockchain data.
Organizations in the targeted sectors are advised to monitor for abnormal child process creation from Electron-based applications like Obsidian. Enabling behavioral endpoint detection and enforcing plugin installation policies can mitigate risks.
Elastic has published YARA rules for detecting PHANTOMPULL and PHANTOMPULSE, providing a practical starting point for enhancing security measures across different environments.
Stay updated with our latest reports by following us on Google News, LinkedIn, and X. Set CSN as your preferred source on Google for more instant updates.
