"The infection chain begins with a phishing email that masquerades as legitimate financial communications, urging recipients to confirm a recent bank transfer. Attached to the email is a ZIP archive that claims to contain additional details, but, instead, contains an ISO file that, when launched, mounts on the system as a virtual CD drive. The ISO image ("Подтверждение банковского перевода.iso" or "Bank transfer confirmation.iso") serves as an executable that's designed to launch Phantom Stealer by means of an embedded DLL ("CreativeAI.dll")."
"Phantom Stealer is capable of extracting data from cryptocurrency wallet browser extensions installed in Chromium-based browsers and desktop wallet apps, as well as grab files, Discord authentication tokens, and browser-related passwords, cookies, and credit card details. It also monitors clipboard content, logs keystrokes, and runs a series of checks to detect virtualized, sandboxed, or analysis environments, and if so, aborts its execution. Data exfiltration is achieved via a Telegram bot or to an attacker-controlled Discord webhook."
An active phishing campaign targets Russian organizations by delivering Phantom Stealer via malicious ISO disc images. Primary targets are finance and accounting; procurement, legal, HR, and payroll personnel are secondary targets. Phishing emails use fake payment confirmations and ZIP attachments containing ISO files that mount as virtual CD drives and execute an embedded DLL. Phantom Stealer harvests crypto wallet data, files, Discord tokens, browser credentials, cookies, card details, clipboard contents, and keystrokes; exfiltration uses Telegram, Discord webhooks, or FTP. The malware detects virtualized or sandboxed environments and aborts execution if found.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]