Phantomcore

Malware updated 23 days ago (2024-11-29T13:57:40.795Z)
Download STIX
Preview STIX
PhantomCore is a sophisticated malware, which is part of a suite of custom-made malicious software that includes PhantomDL. This malware has been used in targeted phishing campaigns to infiltrate victim infrastructure by exploiting a relatively new vulnerability, CVE-2023-38831. Once executed, the malware establishes a connection with a Command and Control (C2) server, as evidenced by sample detonations in the Kaspersky Sandbox. These connections were observed to IP 5.252.178[.]92 among others. The attackers have shown advanced obfuscation techniques, possibly using a popular Go obfuscator named Garble, making detection and mitigation more challenging. The malware has been used to deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT). Moreover, the attackers cleverly disguised their malware, naming the samples to resemble business documents and using double extensions to further trick victims into executing them. One notable feature of PhantomCore is its ability to create a scheduled task named MicrosoftUpdateCore, which launches the malicious $appdata\Microsoft\Windows\srvhost.exe each time the user logs in, ensuring persistence on the infected system. However, there remains some uncertainty regarding the full extent of PhantomCore and PhantomDL's activities. Despite finding several samples of these malwares, it is unclear if they all belong to the same activity cluster as those used in Head Mare’s attacks. This suggests the possible existence of other threat actors or campaigns utilizing similar tools, thereby underscoring the need for continued vigilance and robust cybersecurity measures.
Description last updated: 2024-10-17T12:12:28.902Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Phishing
Malware
Vulnerability
Sandbox
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Phantomdl Malware is associated with Phantomcore. PhantomDL is a malicious software (malware) associated with the cybercriminal group known as Head Mare, which has been linked to targeted attacks on Russian organizations. This custom-made malware, along with PhantomCore, exploits a relatively new vulnerability, CVE-2023-38831, in phishing campaignsUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-38831 Vulnerability is associated with Phantomcore. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabilUnspecified
2
Source Document References
Information about the Phantomcore Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more