A novel cyber threat has been unveiled, targeting the finance and cryptocurrency sectors by exploiting the Obsidian note-taking application. This campaign uses sophisticated social engineering tactics to distribute a new Windows remote access trojan (RAT) named PHANTOMPULSE. The attack, identified by Elastic Security Labs as REF6598, leverages platforms like LinkedIn and Telegram to deceive potential victims.
Social Engineering and Initial Access
Threat actors employ elaborate social engineering techniques, approaching targets under the pretext of a venture capital firm. These engagements often transition to a Telegram group where discussions about financial services and cryptocurrency solutions take place. Victims are instructed to access a shared dashboard via Obsidian, connecting to a cloud-hosted vault with provided credentials.
The infection sequence begins when the vault is accessed within Obsidian, prompting victims to enable ‘Installed community plugins’ sync. This action triggers the execution of malicious code. Researchers Salim Bitam, Samir Bousseaden, and Daniel Stepanic highlight the exploitation of Obsidian’s legitimate community plugin ecosystem, specifically the Shell Commands and Hider plugins, to execute code stealthily.
Technical Breakdown and Methodology
The attack requires convincing victims to manually enable plugin sync, as this option is disabled by default. Once activated, the Shell Commands plugin executes malicious commands, while the Hider plugin conceals certain UI elements. This tactic bypasses traditional antivirus detection and utilizes Obsidian’s trusted application status to execute commands.
On Windows systems, PHANTOMPULSE is deployed by executing PowerShell scripts that drop and activate an intermediate loader called PHANTOMPULL. PHANTOMPULSE communicates with its command-and-control (C2) server via the Ethereum blockchain, using WinHTTP for data transmission, command reception, and more. Supported commands include file dropping, screenshot capturing, keylogging, and privilege escalation.
macOS Strategy and Defense Measures
For macOS, the attack utilizes the Shell Commands plugin to execute an obfuscated AppleScript dropper. This script iterates through a fixed domain list, using Telegram as a fallback for C2 resolution. This method allows for flexible C2 infrastructure changes, complicating domain-based blocking efforts. The dropper contacts the C2 domain to download and execute additional payloads via osascript, though the specifics remain unknown due to inactive C2 servers.
The attack was ultimately thwarted before achieving its objectives. Elastic Security Labs emphasizes the creativity of threat actors in finding new access vectors. By exploiting trusted applications rather than software vulnerabilities, attackers evade traditional security measures. This incident underscores the need for vigilance and advanced security protocols to counter such innovative threats.
