Phantomcore

Malware updated a month ago (2024-10-17T13:04:06.789Z)

Download STIX

Preview STIX

PhantomCore is a sophisticated malware, which is part of a suite of custom-made malicious software that includes PhantomDL. This malware has been used in targeted phishing campaigns to infiltrate victim infrastructure by exploiting a relatively new vulnerability, CVE-2023-38831. Once executed, the malware establishes a connection with a Command and Control (C2) server, as evidenced by sample detonations in the Kaspersky Sandbox. These connections were observed to IP 5.252.178[.]92 among others. The attackers have shown advanced obfuscation techniques, possibly using a popular Go obfuscator named Garble, making detection and mitigation more challenging. The malware has been used to deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT). Moreover, the attackers cleverly disguised their malware, naming the samples to resemble business documents and using double extensions to further trick victims into executing them. One notable feature of PhantomCore is its ability to create a scheduled task named MicrosoftUpdateCore, which launches the malicious $appdata\Microsoft\Windows\srvhost.exe each time the user logs in, ensuring persistence on the infected system. However, there remains some uncertainty regarding the full extent of PhantomCore and PhantomDL's activities. Despite finding several samples of these malwares, it is unclear if they all belong to the same activity cluster as those used in Head Mare’s attacks. This suggests the possible existence of other threat actors or campaigns utilizing similar tools, thereby underscoring the need for continued vigilance and robust cybersecurity measures.

Description last updated: 2024-10-17T12:12:28.902Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Phishing

Malware

Vulnerability

Sandbox

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Phantomdl Malware is associated with Phantomcore. PhantomDL is a malicious software (malware) associated with the cybercriminal group known as Head Mare, which has been linked to targeted attacks on Russian organizations. This custom-made malware, along with PhantomCore, exploits a relatively new vulnerability, CVE-2023-38831, in phishing campaigns	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-38831 Vulnerability is associated with Phantomcore. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil	Unspecified	2

Source Document References

Information about the Phantomcore Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	3 months ago	Red Teaming Tool Abused for Malware Deployment
Securelist	3 months ago	Head Mare hacktivists: attacks on companies in Russia and Belarus
Securityaffairs	3 months ago	Head Mare hacktivist group targets Russia and Belarus