HQ/EMEAFind out how we can help your business
A new PHANTOM#SPIKE malware campaign has an ongoing phishing campaign that uses email scams to infect Pakistani targets.
According to reports, the phishing operators use ZIP files containing files with a password-protected payload archive. However, this is just one of the various methods hackers use to execute their ongoing cybercriminal campaign.
Researchers also noted that the campaign’s strategy is unique because it lacks sophistication. Initial assessment of the campaign showed that the PHANTOM#SPIKE group used simple payloads to obtain remote access to target PCs.
The PHANTOM#SPIKE group utilise important events to increase the legitimacy of its campaign.
Investigations show that the email communications the PHANTOM#SPIKE threat group leveraged include a ZIP archive with meeting minutes for the International Military-Technical Forum Army 2024.
This scenario is a legitimate event hosted by the Russian Federation’s Ministry of Defense, and it will take place in Moscow in a couple of months.
Researchers explained that the ZIP file contains a Microsoft Compiled HTML Help (CHM) file and a hidden executable (“RuntimeIndexer.exe”). Once a target opens the hidden executable, it will display the meeting minutes and a couple of images but will stealthily initiate the bundled binary once the user clicks anywhere on the document.
The program is meant to act as a backdoor, as it could connect to a remote server via TCP to collect commands that are then executed by the malware on the compromised host.
In addition to relaying system information, the malware campaign could execute commands using cmd.exe, gather the operation’s output, and send it back to the attacker-controlled server. These features also include running programs such as system info, tasklist, curl to obtain the public IP address from ip-api[.]com, and schtasks to establish persistence.
Furthermore, the backdoor essentially functions as a command-line-based RAT that enables attackers to create a foothold on the infected target, covertly run commands, and secure access.
Lastly, the ability to execute commands remotely and send the results back to the command-and-control server enables the attacker to take control of the infected system, steal sensitive information, or run further malware payloads.
Pakistanis should be careful of this phishing campaign, especially if it contains a sensitive topic that came out of nowhere. Avoid accessing unknown files within these emails to mitigate or prevent the risk of falling victim to this new PHANTOM#SPIKE campaign.
