Researchers from Kaspersky Lab report an increase in attacks on Russian organizations using PhantomDL and DarkWatchman RAT.
At the beginning of July, experts noticed two waves of targeted mailings with malicious archives inside, which were addressed to Russian organizations, mainly in the manufacturing, government, financial and energy industries.
The first wave took place on July 5th and affected about 400 users, the second, more widespread, on July 10th, affecting over 550 users.
Moreover, some letters were a response to real correspondence with counterparties of target organizations, which indicates the use of hacked email addresses of these counterparties or previously stolen correspondence.
As a payload, the attackers distributed a RAR archive with a password, which could be contained in an attachment or downloaded from a Google Drive link in the body of the email.
Inside the archive there was a bait document, as well as a folder of the same name containing an executable file, usually with a double extension (for example, “Invoice-Invoice.pdf .exe”).
This archive structure can be used to attempt to exploit the vulnerability CVE-2023-38831 , which has become widespread among attackers.
In the event of a successful attack, specific malware Backdoor.Win64.PhantomDL, written in Go and heavily obfuscated, was installed on the victim’s device.
PhantomDL was first seen in March 2024, and was preceded by PhantomRAT, written in .NET. Essentially this is the same software, just in a different language.
Just like its predecessor, PhantomDL is used mainly for installing and running various HackTool utilities and remote administration software. In this case – rsockstun and ngrok for tunneling traffic, sshpass for accessing a computer via SSH, etc.
Unlike previous versions that used the HTTP protocol, communication with C2 in the current version of the backdoor is carried out via the RSocket protocol.
It is worth noting that mailings similar in design, purpose, name and format of attachments were observed earlier, from late April to early June, but they distributed another malware – DarkWatchman RAT, which provides attackers with remote access to the infected system.
Based on the analysis of the malware used, IoC and TTPs, researchers believe that a hacker group known as Head Mare is behind the PhantomDL attacks .
We See What Others Cannot
