Adversaries distributed phishing emails with .zip polyglot attachments containing a PhantomRemote backdoor disguised as legitimate documents. The backdoor collects system information, communicates with a C2 server, and executes commands received via HTTP requests. #PhantomRemote #Phishing #C2Server
Keypoints
- Phishing emails were sent from legitimate compromised organizations with subjects mimicking transportation and contract documents dated June 26, 2025.
- The emails contained .zip polyglot attachments that are PE32+ DLLs concealing both a decoy file and a malicious ZIP archive with an LNK file.
- The LNK file executes a sequence to locate and run the polyglot .zip file via rundll32.exe calling its EntryPoint function.
- PhantomRemote backdoor, coded in C++, collects system information including GUID, computer name, and domain, storing data in a %PROGRAMDATA% directory named YandexCloud or MicrosoftAppStore.
- The backdoor communicates with a C2 server at 91.239.148.21 over HTTP using GET and POST requests, impersonating User-Agent strings like YandexUpdate/1.0 and MicrosoftAppStore/2001.0.
- PhantomRemote supports commands to execute cmd.exe commands and download additional files from URLs, reporting the results back to the C2 server.
- After command execution, the backdoor invokes Sleep() intervals of 10 seconds on success or 1 second on failure to maintain operation stability.
MITRE Techniques
- [T1566.001] Phishing – The adversaries used legitimate compromised organization addresses to distribute phishing emails with malicious .zip polyglot attachments (“phishing emails with subject lines such as Транспортная накладная…”).
- [T1204] User Execution – The LNK file within the ZIP required execution by the user to initiate the malicious payload (“The LNK file within the ZIP executes the following sequence…”).
- [T1105] Ingress Tool Transfer – PhantomRemote downloads additional files from C2 URLs using WinAPI functions (“Downloads a file using the URL specified in the command… relies on the WinAPI functions of WINHTTP.dll”).
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The backdoor executes commands via cmd.exe interpreter (“executes via cmd.exe /c “).
- [T1071.001] Application Layer Protocol: Web Protocols – Communication with C2 is conducted over HTTP GET and POST requests (“The communication is carried out over HTTP… using GET and POST requests”).
- [T1036.005] Masquerading: Match Legitimate Name or Location – The backdoor uses User-Agent strings mimicking legitimate services (“The backdoor uses the User-Agent header strings YandexUpdate/1.0 or MicrosoftAppStore/2001.0”).
Indicators of Compromise
- [File Names] Polyglot attachment and decoy files – Договор_РН83_37_изменения.pdf.lnk, Транспортная_накладная_ТТН_№ 391-44_от_26.06.2025.xls
- [IP Address] C2 server – 91.239.148.21 used for HTTP communication and command control
- [User-Agent Strings] Used in C2 communication – YandexUpdate/1.0, MicrosoftAppStore/2001.0
- [URL Patterns] C2 request URL format – /poll?id=&hostname=&domain= for data transmission and commands
Read more: https://bi.zone/eng/expertise/blog/rainbow-hyena-snova-atakuet-novyy-bekdor-i-smena-taktik/