Cybersecurity specialists have revealed insight into a new phishing campaign that has been recognized as targeting on individuals in Pakistan using a custom backdoor.
Named PHANTOM#SPIKE by Securonix, the unknown threat actors behind the movement have utilized military-related phishing records to actuate the infection sequence.
“While there are numerous techniques used today to send malware, the
threat actors utilized ZIP files with a password-protected payload archive file held inside,” researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared in the News.
The campaign is outstanding for its absence of sophistication and the utilization of basic payloads to accomplish remote access to target machines.
The email messages come bearing a ZIP archive that implies to meet minutes connected with the international Military-Technical Forum Armed force 2024, a real occasion coordinated by the Ministry of Defense of the Russian League. It’s set to be held in Moscow in mid-August 2024.
Present inside the ZIP file is a Microsoft Compiled HTML Help (CHM) file and a covered up executable (“RuntimeIndexer.exe”), the previous of which, when opened, shows the meeting minutes as well as several images, yet covertly runs the bundle binary as soon as the user clicks anywhere on the document.
The executable is designed to function as a backdoor that establishes links with a remote server over TCP in order to redirect commands that are subsequently run on the compromised host.
In addition to passing along system data, it executes the commands through cmd.exe, collects the output of the operation, and exfiltrates it back to the server. This includes running commands like systeminfo, tasklist, curl to extract the public IP address using ip-api[.]com, and schtasks to set up persistence.
The researcher said,”This backdoor important functions as a command line-based remote access trojan (RAT) that provides the attacker with persistent, covert, and secure access to the infected system,”
Further said,”The ability to execute commands remotely and relay the results back to the C2 server allows the attacker to control the infected system, steal sensitive information or execute additional malware payloads.”
