Operation MoneyMount-ISO: Phantom Stealer Targets Windows Systems via ISO Files
A sophisticated phishing campaign, dubbed Operation MoneyMount-ISO, has been identified, targeting Windows systems through malicious ISO files to deploy the Phantom information-stealing malware. This operation primarily focuses on finance and accounting departments within Russian-speaking organizations, posing significant risks such as credential theft, invoice fraud, unauthorized fund transfers, and potential lateral movement within IT infrastructures.
Initial Attack Vector
The campaign initiates with phishing emails bearing the subject Подтверждение банковского перевода (Confirmation of Bank Transfer). These emails, sent from compromised domains, impersonate reputable entities like TorFX Currency Broker. Attached to these emails is a ZIP file approximately 1 MB in size, which, when opened, reveals a malicious ISO file masquerading as a legitimate bank transfer confirmation document.
Infection Mechanism
Upon execution, the ISO file auto-mounts as a virtual CD drive, displaying an executable file that appears legitimate. This executable loads additional payloads into memory, including a DLL named CreativeAI.dll containing encrypted code. The DLL decrypts and injects the final version of the Phantom Stealer malware into the system, initiating the data exfiltration process.
Phantom Stealer Capabilities
Phantom Stealer is a comprehensive data theft tool with extensive capabilities:
– Anti-Analysis Techniques: The malware detects virtualized environments and security tools, self-destructing if such conditions are identified.
– Cryptocurrency Wallet Data Harvesting: It targets both browser extensions and desktop applications, extracting data from numerous known crypto wallets.
– Discord Token Extraction: The stealer retrieves Discord authentication tokens from browser databases and native installations, validating them through Discord’s API to collect user information, including usernames, emails, and Nitro subscription status.
– Clipboard Monitoring: A continuous clipboard monitor captures contents every second, logging timestamped entries for exfiltration.
– Keystroke Logging: Utilizing low-level Windows hooks, it records global keystrokes.
– Browser Data Recovery: The malware recovers saved passwords and credit card data from Chromium-based browsers by parsing SQLite databases.
– Targeted File Collection: It collects files based on predefined criteria, focusing on documents and images.
Data Exfiltration Methods
Once data is collected, Phantom Stealer packages it into a ZIP archive that includes system metadata, public IP addresses, and configuration toggles. The malware employs multiple exfiltration channels to ensure the stolen information reaches the attackers:
– Telegram Bot APIs: Utilizing Telegram’s API to send data.
– Discord Webhooks: Leveraging Discord’s webhook functionality for data transmission.
– FTP Servers: Uploading data to FTP servers with optional SSL support.
Recommendations for Organizations
To defend against such evolving threats, organizations should:
– Filter Containerized Attachments: Implement continuous filtering of attachments like ZIP and ISO files.
– Deploy Memory-Behavior Monitoring Solutions: Utilize tools that monitor and analyze memory behavior to detect anomalies.
– Harden Email Security Workflows: Enhance email security protocols, especially for departments handling financial transactions.
By adopting these measures, organizations can bolster their defenses against sophisticated phishing campaigns and malware threats like Phantom Stealer.
