FACCT specialists spoke about the discovery of a new, previously unknown bootloader PhantomDL (or PhantomGoDownloader). Analysis of the identified samples allowed us to establish a connection between the malware and the PhantomCore group.
Researchers first spoke about the PhantomCore spy group this spring. Since January 2024, hackers have been attacking Russian companies and using the unique PhantomRAT remote access Trojan in their operations.
As a rule, the group sends phishing emails to targets with password-protected archives as attachments and a password in the body of the email. Experts also believe that phishing emails with an attached archive were also used to distribute PhantomDL.
As experts now say, at the end of March an executable file with the name “Akt_priema_peredaci_plosadki_20240322103904_20240323105837.pdf.exe” and a password-protected RAR archive “Akt_priema_peredaci_plosadki_20240322103904_2024032” were discovered on VirusTotal 3105837.rar.”
Researchers were able to guess the password for the archive (11112222), and it turned out that the archive contains an executable file and a legitimate PDF file, which is a decoy document with the same name.
The bait document, in turn, contains information about the transfer and acceptance certificate of a construction site for work on the territory of a Russian enterprise from the nuclear industry.
Attackers are exploiting a variant of the WinRAR vulnerability (CVE-2023-38831), in which RAR archives are used instead of ZIP archives. Thus, if a user with a WinRAR version less than 6.23 launches a PDF file, the executable file contained in the archive directory of the same name will be launched. If using WinRAR version 6.23 and higher, the user will be shown a legitimate PDF file.
The executable in question is a bootloader written in Go, which the utility was allegedly used to obfuscate garble.
In addition, on March 26, another archive with the password “11112222” was uploaded to VirusTotal, containing the following files:
- “Contract information.pdf .exe” is a Go loader with the same hash as the file “Akt_priema_peredaci_plosadki_20240322103904_20240323105837.pdf .exe” (SHA-1: d6a7b11b0f71cb3ea14a4c89d2d742a9 0a05bf3c);
- “Contract Information.pdf” is a legitimate PDF file that is a decoy document. However, the contents of the document do not correspond to its title.
About a month after the first discovery of the Go loader, experts were able to identify a new sample, which, unlike the earlier one, did not have obfuscation of classes and methods. This allowed us to get the project name D:githubphantomDL and name the loader PhantomDL.
This sample supports the same commands as the earlier version of the bootloader: bay, install. But a different IP address is used as the control server: 91.219.151(.)47. Also among the changes is the fact that in the new sample the names of the pages for sending requests to the server have been replaced.
The malware was linked to PhantomCore due to several factors. For example, overlaps were noticed in the naming of files and passwords for archives from different attacks, and PhantomCore was the first group known to researchers to exploit CVE-2023-38831 using RAR archives instead of ZIP archives.
In addition, intersections were observed in the name of the PDB paths of the PhantomRAT modules and in the path names of the Go files of the PhantomDL loader project, as well as intersections in the names of classes and methods.
The researchers summarize that PhantomCore is actively developing its tools and moving from the testing stage to the offensive. If in the first attacks the attackers used a simple PhantomCore.Downloader loader, and specialists discovered test samples in public sandboxes, then a month later they switched to a more complex PhantomDL loader.
It is separately noted that attackers use high-quality decoy documents, the contents of which may indicate that they are targeting Russian enterprises in the military-industrial complex or organizations interacting with them.