A complex malware campaign dubbed “Phantom Goblin” has been discovered, which employs social engineering techniques to install information-stealing malware. The malware is distributed by RAR attachments in spam messages, which includes a poisoned shortcut file posing as a PDF.
When executed, the LNK file launches a PowerShell operation to download further payloads from a GitHub repository, ensuring persistence by generating a registry entry that starts at system boot. These payloads, such as “updater.exe,” “vscode.exe,” and “browser.exe,” spoof legitimate apps, which complicates detection.
The malware primarily targets web browsers and development tools to steal sensitive data. It harvests cookies, login passwords, and browsing history by forcing browsers such as Chrome, Brave, and Edge to shut down. The “updater.exe” payload allows remote debugging to bypass Chrome’s App Bound Encryption (ABE) and achieve covert data exfiltration.
The stolen information is subsequently transferred to a Telegram channel via the Telegram Bot API. This approach allows cybercriminals to access data in real time without suspicion.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: