One Article Review
| Source |  Cyble |
|---|---|
| Identifiant | 8654155 |
| Date de publication | 2025-03-06 07:48:58 (vue: 2025-03-06 08:08:15) |
| Titre | Phantom-Goblin: Exploitation du vol d'identification et VSCODE Covert et VSCODE Phantom-Goblin: Covert Credential Theft and VSCode Tunnel Exploitation |
| Texte | 
Key Takeaways
Threat Actors (TA) use social engineering to trick users into executing a malicious LNK file disguised as a PDF document, leading to malware infection.
The malware then leverages PowerShell to download and execute malicious payloads from a GitHub repository while ensuring persistence through registry modifications.
The malware extracts browser cookies by enabling remote debugging, bypassing Chrome\'s App Bound Encryption (ABE) for stealthy data exfiltration.
A malicious binary establishes a Visual Studio Code (VSCode) tunnel, allowing TA to maintain unauthorized remote access while evading detection.
Another payload collects browsing history, login credentials, session details, and other sensitive browser-related information before exfiltrating it to a Telegram channel.
Stolen data, including cookies and browser credentials, is archived and transmitted to the TA\'s Telegram bot, ensuring covert data transfer and persistence.
Executive Summary
A newly identified malware strain is being distributed through RAR attachments, using social engineering techniques to deceive users into executing a malicious LNK file disguised as a legitimate document. Once executed, this LNK file triggers a PowerShell command that retrieves additional payloads from a GitHub repository, allowing the malware to perform various malicious activities while operating stealthily.
The malware primarily targets web browsers and developer tools for data theft and unauthorized system access. It forcefully terminates browser processes to extract sensitive information such as cookies, login credentials, and browsing history. Additionally, it leverages Visual Studio Code tunnels to establish unauthorized |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | after as sigma rules /code /im 001 002 003 005 1024x512 112aeabc6cc7e0cbc42e006c868ba538f39b50617fc652a129e399ae6005fa17 1337/x/main/browser 1337/x/main/updater 1337/x/main/vscode 1337/x/main/x 256 300x150 360 605cc564a0d25571f24791652ff8f47abf491104e0209cddbea7621b6c423cc0 7d5ab794de22ebc90099273f96708bb378f9c7e87c9f902ed526a977a0791f36 8105027522 9222 a66faa1bb8acffd44fc314f42d155df7440f4d979ae6e4cd1214a056fd3a12f abe accept access access/ account accounts active activities activity actors adding additional additionally adds advanced afd9fb1dd236bc64bff766b0bac741371d618981bbc96b4b586a7d4a1e148d14 affiliation after alerts all allowing allows along already also amasses another any api app appear appearance application applications approach arc archive archived archives archive” are assigns associated att&ck® attachment attachments attack attacks attempts authentication available avoid avoiding background base based been before begins behind being believing below beta binaries binary blending block bot bound brave browser browsers browsing bypass bypasses bypassing campaign can caption= captures chain changes channel channels chat checking checks chrome chromium clicking closed coc code collected collecting collection collects com/application com/blog/silent com/eagle com/wp come comes command compiled complete compromise compromised conclusion conflicts connection connections console contacts contain containing contains content content/uploads/2025/03/cybleblogs contents control controlled controls cookie cookies copy corresponding covert created creates creating credential credentials cril currentversion cyber cyble darkreading data database debugging deceive deceives deceptive default defense defines delay delivered deploy description designed details detect detection detections detects developer difficult direct directory disable discover discovery discreetly disguised disguising distributed distribution document does download downloaded downloading downloads ea14b44eb179eba81a5c5d645355479b5061604c54ab02d982f49ee9bb811626 each edge effectively email emails employs enable enabled enables enabling encrypted encryption end endpoint enforcing engineering ensure ensures ensuring entire entry establish establishes evade evading evasion even every exact exe execute executed executes executing execution execution: executive exe” exfiltrate exfiltrated exfiltrates exfiltrating exfiltration existing exists exploitation exploits explorer extensions external extract extracted extracting extraction extracts facilitating fetches figure file file= filenames files filtering finally firefox first folder following for download from forcefully form format found from further gathering generates genuine github githubusercontent goblin goblin: google hardcoded has have headless helps hidden highlights history hive hkcu https/websockets https://cyble https://www hxxps://raw identified identify iex image implement including increasing indexeddb indicator indicators infection information information: software initial initiates inputs installed instance instances intelligence intended interact interaction interface interference interpreter: intrusion invoke iocs its itself iwr json json” key keys labs large lateral launched launches launching layer leading legit legitimacy legitimate leverage leverages leveraging license like likely linked listed lnk local location locked log login logout” logs lure maintain maintaining makes malicious malware manipulate marker masquerading: match meaning mechanisms medium method methods microsoft might mimic mitre mode modifications monitor movement mozilla multiple name named names naming navigates necessary network new newly nop normal not now obfuscated official once opening opera operating operation operations organizes other others out outbound output over overall own owner/user packed packer packing password pattern payload payloads pdf perform performed persistence personalization phantom phishing phishing: placing png policies port potential |
| Tags | Spam Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.