F.A.C.C.T Threat Intelligence analysts have been monitoring the activities of the Phantomdl bootloader since March 2024. This new malware has been linked to the Phantomcore cyberspion group, known for targeting Russian organizations earlier this year.
Phantomdl is utilized to distribute malicious software through phishing emails containing encrypted archives with harmful files. In one incident, a phishing email disguised as a Primank document was used to target a construction site within the Russian nuclear industry.
The malicious PDF file embedded in the email exploits a vulnerability in outdated versions of the Winrar program, identified as CVE-2023-38831, to execute an executable file. Users with Winrar version 6.23 and above are safe as they only open the legitimate PDF document.
Additionally, Phantomdl is capable of detecting the location of the internet access. If the connection is not from a Russian IP address, the connection is terminated. Successful connections allow the bootloader to receive commands for downloading malware or carrying out further operations.
Recent observations by experts have uncovered a new Phantomdl variant that avoids typical evasion techniques, making analysis easier and confirming its association with Phantomcore. F.A.C.C.T reveals that using Phantomdl is part of Phantomcore’s strategy to evade security measures and conduct cyber espionage against the Russian military-industrial complex.