PHANTOM#SPIKE (Trojan) – Malware

Overview

In the ever-evolving landscape of cyber threats, the PHANTOM#SPIKE campaign stands out as a significant and concerning development. This sophisticated attack, uncovered by Securonix Threat Research, demonstrates a troubling blend of stealth and precision in its execution. At the heart of this campaign lies a custom CSharp backdoor payload, ingeniously delivered through a seemingly innocuous military-themed phishing lure. The attackers behind PHANTOM#SPIKE are employing a methodical approach to exploit Compiled HTML Help (CHM) files, a tactic that reflects a deeper trend in cyberattack strategies—leveraging trusted file formats to circumvent traditional security measures.

The campaign’s primary objective appears to be targeting individuals and organizations associated with Pakistan, although there are indications of potential broader implications. The use of ZIP files containing password-protected archives and CHM files underscores the attackers’ intent to avoid detection and maximize their chances of successful infiltration.

By capitalizing on the allure of military-related documents, the threat actors aim to deceive their victims into executing a malicious payload, which, once activated, establishes a persistent and covert presence on the compromised system. This sophisticated approach highlights the evolving nature of cyber threats and the need for heightened vigilance in defending against such sophisticated tactics.

Targets

Individuals
Information

How they operate

The initial phase of the PHANTOM#SPIKE campaign typically involves phishing attacks. Attackers deploy emails crafted to appear as legitimate military-related communications. These emails often contain malicious attachments or links, such as Compiled HTML Help (CHM) files, which exploit the user’s trust. Once the victim executes the file, the malware activates and begins its operation. The execution is achieved through the use of user action, where the user inadvertently opens the file, triggering the malware’s payload.

Once executed, PHANTOM#SPIKE establishes persistence on the infected system. This is accomplished through modifications to the Windows Registry, specifically by altering Run keys or placing files in the startup folder. These changes ensure that the malware is executed automatically upon system reboot, maintaining its presence on the infected machine. This persistence mechanism is crucial for the malware, allowing it to operate undetected over extended periods.

To facilitate its operations, PHANTOM#SPIKE employs sophisticated command and control (C2) techniques. The malware communicates with its C2 server using encrypted channels, which helps evade detection by traditional security measures. This encrypted communication allows the attackers to issue commands, exfiltrate data, and update the malware as needed, all while remaining concealed from security monitoring tools.

In terms of defense evasion, PHANTOM#SPIKE utilizes a variety of techniques. The malware often obfuscates its files and payloads through encryption or by embedding them within seemingly innocuous ZIP files that require passwords to open. This obfuscation helps the malware avoid detection by security software. Additionally, the malware employs masquerading techniques, disguising itself as legitimate military documents to bypass security defenses and reduce the likelihood of suspicion from the victim.

Data collection is another critical function of PHANTOM#SPIKE. Once inside the target system, the malware gathers sensitive information, including personal files and system data. This data is then exfiltrated to the attackers’ C2 server via the same encrypted communication channel used for command and control operations. The exfiltration process is carefully designed to avoid detection and ensure that valuable information is successfully transmitted back to the attackers.

MITRE Tactics and Techniques

Initial Access:

Phishing (T1566): The malware is delivered through phishing emails, often disguised as military-themed messages, to lure victims into executing malicious files.

Execution:

User Execution (T1204): The malware is distributed via a Compiled HTML Help (CHM) file, requiring the user to open and execute it for the malware to activate.

Persistence:

Registry Run Keys / Startup Folder (T1547.001): The malware establishes persistence by modifying registry keys or placing files in the startup folder, ensuring it remains active after system reboots.

Command and Control (C2):

Ingress/Egress Tool (T1132): The malware communicates with its command and control (C2) server using encrypted channels, allowing for stealthy command execution and data retrieval.

Defense Evasion:

Obfuscated Files or Information (T1027): The malware employs obfuscation techniques, such as encrypting or hiding its payload within ZIP files or using password protection to avoid detection.
Masquerading (T1036): The malware disguises itself as legitimate military-related documents to bypass security measures and avoid suspicion.

Collection:

Data from Local System (T1005): The malware collects data from the compromised system, including sensitive files or personal information, which is then exfiltrated to the attackers.

Exfiltration:

Exfiltration Over Command and Control Channel (T1041): Collected data is transmitted to the attacker’s C2 server via the encrypted communication channel established by the malware.

References:

• Analysis of PHANTOM#SPIKE: Attackers Leveraging CHM Files to Run Custom CSharp Backdoors Likely Targeting Victims Associated with Pakistan