Adrian Johnson
TLDR:
- A new phishing campaign dubbed PHANTOM#SPIKE is targeting people in Pakistan using military-themed email documents.
- The campaign uses a ZIP file with a password-protected payload archive that contains a backdoor malware called RuntimeIndexer.exe.
Cybersecurity researchers have identified a new phishing campaign targeting people in Pakistan. The campaign, known as PHANTOM#SPIKE, involves using military-related phishing documents to infect users with malware. The threat actors behind the campaign have utilized ZIP files with a password-protected payload archive that contains a backdoor malware called RuntimeIndexer.exe. This malware is designed to establish connections with a remote server and execute commands on the compromised host. The backdoor allows the attacker to control the infected system, steal sensitive information, and execute additional malware payloads.
The email messages in this campaign come with a ZIP archive that pretends to contain meeting minutes related to the International Military-Technical Forum Army 2024. The ZIP file includes a Microsoft Compiled HTML Help file and the hidden executable RuntimeIndexer.exe. When the CHM file is opened, it displays meeting minutes and images but runs the bundled binary once the user clicks on the document. The malware runs commands remotely, relays results back to the server, gathers system information, and executes commands such as systeminfo, tasklist, curl, and schtasks.
This phishing campaign is notable for its lack of sophistication and use of simple payloads to achieve remote access to target machines. The researchers emphasize the importance of staying vigilant against such attacks and implementing strong email security measures to prevent malware infections.
