Threat researchers from Securonix identified the PHANTOM#SPIKE campaign that uses password-protected ZIP archives and CHM files to silently deploy a .NET backdoor named RuntimeIndexer.exe. The activity targets victims associated with Pakistan, with suspected political motivation and broader reach to the US and other Western countries. #PHANTOM#SPIKE #Pakistan
Keypoints
- The PHANTOM#SPIKE campaign leverages CHM (Compiled HTML Help) files within password-protected archives to deliver the payload, using a covert workflow to execute a hidden binary.
- CHM content uses an HTML document with an embedded JavaScript that triggers the execution of RuntimeIndexer.exe when the user clicks, bypassing apparent user interaction hurdles.
- RuntimeIndexer.exe is a small .NET backdoor that establishes a persistent, encrypted channel to a C2 server and allows remote command execution on the infected system.
- The malware authenticates to a C2 server at 162.252.172.67 over port 443 and uses SSL, but the server certificate is not validated, aiding stealthy communication.
- Post-exploitation behaviors include environment enumeration (systeminfo, tasklist, dir), IP discovery via ip-api, and manual persistence via a scheduled task and file placement in Public Documents.
- MITRE ATT&CK-style findings include execution via a compiled HTML file, system information discovery, command execution via cmd, IP collection, and scheduled task persistence.
- Threat actors appear to be targeting Pakistan with some payloads observed in the US/Western nations, suggesting geopolitical motivation and a modular, low-artifact approach to minimize detection.
MITRE Techniques
- [T1218.001] System Binary Proxy Execution: Compiled HTML File – The CHM is used to create a shortcut that executes RuntimeIndexer.exe via an embedded OBJECT tag and script. Quote: “The use of an <OBJECT> tag with a specific classid is critical. This classid corresponds to a COM object that can be used to perform actions not typical of your average CHM file. In this case, it’s configured to create a shortcut referencing a single command action.”
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The malware executes commands locally using cmd.exe; Quote: “The ReceiveAndExecuteCommandsAsync method listens for commands from the C2 server, reading data into a buffer and converting it into a string command. and This method executes commands via cmd.exe, captures the output, and sends it back to the C2 server.”
- [T1059.007] Command and Scripting Interpreter: JavaScript – A small JavaScript snippet is executed when the user interacts with the CHM, triggering the payload. Quote: “a small snippet of JavaScript is also executed which is triggered on a user “click” action.”
- [T1041] Exfiltration Over C2 Channel – The infected host transmits data to the C2 server, providing the attacker with information about the victim. Quote: “transmits the hostname and username of the infected machine to the C2 server”
- [T1082] System Information Discovery – Post-compromise enumeration includes system information gathering; Quote: “systeminfo”
- [T1590.005] Gather Victim Network Information: IP Addresses – The malware collects the victim’s IP information via external service. Quote: “curl ip-api[.]com”
- [T1053.005] Scheduled Task/Job: Scheduled Task – Persistence is achieved via a Windows scheduled task. Quote: “schtasks /CREATE /SC ONEVENT /DELAY 0004:00 /EC Microsoft-Windows-NetworkProfile/Operational /MO “*[System[Provider[@Name=’Microsoft-Windows-NetworkProfile’]]]” /TN RuntimeTaskMachinesCore /tr “C:UsersPublicDocumentsRuntimeIndexer.exe” /F”
Indicators of Compromise
- [IP Address] context – C2 address 162.252.172.67, used for command and control communications (port 443).
- [Domain] context – ip-api[.]com used to determine public IP information for the victim.
- [File Hash] context – 8EC0E528DE50CDD232294480999A9730944AA218FBC12AD24228E078B845CB5C, RuntimeIndexer.exe
- [File Hash] context – 40F61588C92BC0965719B78D2F0827585308ABB5B4CF8A01138B3CF69378DF28, Minutes of meeting Intl Military Technical Forum Army 2024.zip
- [File Name] context – Minutes of meeting Intl Military Technical Forum Army 2024.zip, Minutes of meeting Intl Military Technical Forum Army 2024.rar, and 2 more files (e.g., CHM bundles in the archive)