Phantomdl

Malware updated 23 days ago (2024-11-29T14:50:54.299Z)
Download STIX
Preview STIX
PhantomDL is a malicious software (malware) associated with the cybercriminal group known as Head Mare, which has been linked to targeted attacks on Russian organizations. This custom-made malware, along with PhantomCore, exploits a relatively new vulnerability, CVE-2023-38831, in phishing campaigns to infiltrate victims' infrastructure. The malware samples are disguised as business documents with double extensions, making them harder to detect. They establish communication with one of the attackers' command servers post-execution and attempt domain identification. Notably, all found samples of PhantomDL and PhantomCore were obfuscated, possibly using a popular obfuscator for Go called Garble. During our investigation, we discovered several PhantomDL and PhantomCore samples. However, it's uncertain if these belong to the same activity cluster as those used in Head Mare’s attacks. Our research also revealed that PhantomDL communicates with its Command and Control (C2) server through port 80 and performs domain identification using specific commands. In some instances, the PhantomDL sample was seen connecting to the C2 server 91.219.151[.]47. Our products have successfully detected PhantomDL samples, recognizing the malware as an exploit for CVE-2023-38831 among other things. Despite the sophistication of the malware and the tactics employed by the attackers, ongoing research and development efforts continue to improve detection rates and mitigate the impact of such threats. It is crucial for organizations to stay vigilant, regularly update their security measures, and educate employees about the risks of suspicious downloads and emails to prevent such attacks.
Description last updated: 2024-10-17T12:12:18.951Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Phishing
Exploit
Sandbox
Vulnerability
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Phantomcore Malware is associated with Phantomdl. PhantomCore is a sophisticated malware, which is part of a suite of custom-made malicious software that includes PhantomDL. This malware has been used in targeted phishing campaigns to infiltrate victim infrastructure by exploiting a relatively new vulnerability, CVE-2023-38831. Once executed, the mUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-38831 Vulnerability is associated with Phantomdl. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabilUnspecified
2
Source Document References
Information about the Phantomdl Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more