Phantomdl

Malware updated a month ago (2024-10-17T13:04:05.840Z)

Download STIX

Preview STIX

PhantomDL is a malicious software (malware) associated with the cybercriminal group known as Head Mare, which has been linked to targeted attacks on Russian organizations. This custom-made malware, along with PhantomCore, exploits a relatively new vulnerability, CVE-2023-38831, in phishing campaigns to infiltrate victims' infrastructure. The malware samples are disguised as business documents with double extensions, making them harder to detect. They establish communication with one of the attackers' command servers post-execution and attempt domain identification. Notably, all found samples of PhantomDL and PhantomCore were obfuscated, possibly using a popular obfuscator for Go called Garble. During our investigation, we discovered several PhantomDL and PhantomCore samples. However, it's uncertain if these belong to the same activity cluster as those used in Head Mare’s attacks. Our research also revealed that PhantomDL communicates with its Command and Control (C2) server through port 80 and performs domain identification using specific commands. In some instances, the PhantomDL sample was seen connecting to the C2 server 91.219.151[.]47. Our products have successfully detected PhantomDL samples, recognizing the malware as an exploit for CVE-2023-38831 among other things. Despite the sophistication of the malware and the tactics employed by the attackers, ongoing research and development efforts continue to improve detection rates and mitigate the impact of such threats. It is crucial for organizations to stay vigilant, regularly update their security measures, and educate employees about the risks of suspicious downloads and emails to prevent such attacks.

Description last updated: 2024-10-17T12:12:18.951Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Phishing

Exploit

Sandbox

Vulnerability

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Phantomcore Malware is associated with Phantomdl. PhantomCore is a sophisticated malware, which is part of a suite of custom-made malicious software that includes PhantomDL. This malware has been used in targeted phishing campaigns to infiltrate victim infrastructure by exploiting a relatively new vulnerability, CVE-2023-38831. Once executed, the m	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-38831 Vulnerability is associated with Phantomdl. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil	Unspecified	2

Source Document References

Information about the Phantomdl Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Preview	Source Link	CreatedAt	Title
	Securelist	3 months ago	Head Mare hacktivists: attacks on companies in Russia and Belarus
	Securityaffairs	3 months ago	Head Mare hacktivist group targets Russia and Belarus