Russian Hackers Use ISO Files to Spread Phantom Stealer Malware
▼ Summary
– A new Russian phishing campaign, tracked as Operation MoneyMount-ISO, delivers Phantom information-stealing malware using a fake payment confirmation email.
– The attack bypasses email security by using a ZIP archive containing an ISO file, which mounts to deploy a disguised executable that installs the malware in memory.
– It specifically targets Russian-speaking organizations, focusing on finance, accounting, and other roles that handle sensitive financial documents.
– The Phantom Stealer payload harvests extensive data, including passwords, cookies, cryptocurrency wallets, keystrokes, and Discord tokens, and exfiltrates it via Telegram, Discord, and FTP.
– Researchers emphasize the campaign’s sophistication and recommend filtering containerized attachments and monitoring memory behavior as essential mitigations.
A sophisticated new phishing operation has been identified, utilizing a deceptive multi-stage process to distribute the dangerous Phantom Stealer malware. Security analysts have traced this activity, dubbed Operation MoneyMount-ISO, to threat actors based in Russia. The campaign cleverly bypasses standard email defenses by using a chain of attachments, ultimately aiming to steal a vast array of sensitive data from its targets.
The attack begins with a convincingly crafted email written in formal Russian business language. The message, with a subject line translating to “Confirmation of Bank Transfer,” pretends to be a routine financial notification. It prompts the recipient to open an attached document to review transaction details, a common request in corporate finance departments. The attached file is not a document, but a ZIP archive containing an ISO file. This technique represents a significant shift in how attackers gain initial access, as ISO files can often slip past email security filters that block more obvious executable files.
When the target opens the ZIP and the enclosed ISO, the system mounts it as a virtual drive. Inside, the victim sees a file disguised as a payment confirmation, which is actually a malicious executable. Launching this file sets off a complex payload chain. A loader first decrypts a harmful DLL, which then injects the Phantom Stealer directly into the system’s memory. This process includes extensive anti-analysis checks designed to evade detection by sandboxes and virtual machines, making it harder for automated security tools to spot the threat.
Once active, Phantom Stealer is a potent data-harvesting tool. It systematically collects browser-stored passwords, cookies, and saved credit card information. The malware also targets cryptocurrency wallets, extracting them from both browser extensions and dedicated desktop applications. It captures keystrokes, monitors clipboard content, and steals authentication tokens from platforms like Discord. All this stolen information is bundled into compressed archives and sent to the attackers through various channels, including Telegram bots, Discord webhooks, and FTP servers.
The campaign demonstrates a clear and calculated focus. It primarily targets Russian-speaking organizations, with a particular emphasis on roles that handle financial operations. Sectors in the crosshairs include finance, accounting, treasury, and payments teams. The attackers also aim at procurement, legal, and human resources or payroll functions, as well as executive assistants and small to medium-sized businesses using Russian-language systems. By mimicking everyday business correspondence, the phishing emails are more likely to be opened in fast-paced professional environments.
This operation underscores the evolving threat posed by commodity malware. The strategic shift toward ISO-based initial access is a direct effort to evade perimeter security controls that traditionally scan for executable attachments. Defending against such advanced tactics requires a layered security approach. Experts recommend continuously filtering containerized attachments like ISOs, implementing robust memory-behavior monitoring to catch malicious activity, and strengthening security protocols for email workflows, especially those used by finance-facing teams.
(Source: InfoSecurity Magazine)
