June 21, 2024 at 09:45AM
Cybersecurity researchers have uncovered a new phishing campaign targeting people in Pakistan, utilizing military-themed documents to deploy a custom backdoor called PHANTOM#SPIKE. The unsophisticated campaign’s ZIP file, posing as meeting minutes for a legitimate event, contains a CHM file and an executable backdoor, enabling remote access and command execution.
Based on the meeting notes provided, the key takeaways are as follows:
– A new phishing campaign dubbed PHANTOM#SPIKE has been identified, targeting individuals in Pakistan using a custom backdoor.
– The threat actors behind the campaign have leveraged military-related phishing documents to activate the infection sequence, using ZIP files with a password-protected payload archive.
– The phishing emails contain a ZIP archive purported to be meeting minutes related to the International Military-Technical Forum Army 2024, but actually containing a Microsoft Compiled HTML Help (CHM) file and a hidden executable (“RuntimeIndexer.exe”) designed to function as a backdoor.
– The backdoor establishes connections with a remote server over TCP, retrieves and executes commands on the compromised host, passes along system information, and exfiltrates data back to the server, essentially functioning as a command line-based remote access trojan (RAT).
– The attacker gains control of the infected system, enabling the theft of sensitive information or execution of additional malware payloads.
If you need further details or additional analysis, please don’t hesitate to ask.