Phantom Goblin: A New Threat in Credential Theft and Remote System Access

A new malware campaign named Phantom Goblin, identified and analyzed by Cyble, uses information-stealing malware that uses social engineering techniques to deceive victims and steal sensitive data, including browser credentials and cookies. 

The campaign is notable for its use of trusted tools and services like PowerShell and Visual Studio Code (VSCode), which help it evade traditional security mechanisms and establish covert, persistent remote access. 

Key Insights into Phantom Goblin 

Phantom Goblin primarily targets browsers and developer tools, leveraging social engineering and malicious scripts to install and operate undetected. According to Cyble Research and Intelligence Labs (CRIL), The malware works by tricking users into executing a disguised LNK file, which then triggers a series of payloads designed to extract and exfiltrate sensitive data. 

1. Social Engineering and Initial Infection: The malware distribution typically begins with a deceptive RAR archive that contains a malicious LNK file. The file is cleverly named to resemble a legitimate document, such as a PDF, prompting users to click on it. When executed, the LNK file runs a PowerShell script, which silently downloads additional payloads from a GitHub repository. This script also ensures persistence by adding itself to the Windows registry, allowing the malware to run each time the system restarts.
2. Exploitation of Browser Vulnerabilities: Once installed, Phantom Goblin turns its attention to web browsers, seeking to extract cookies and login credentials. To do so, it uses a technique that bypasses Chrome’s App Bound Encryption (ABE), enabling it to collect browser data without triggering user alerts. By forcefully terminating active browser processes, the malware ensures that cookie files can be accessed and stolen without any interference.
3. Use of Visual Studio Code (VSCode) Tunnels One of the standout features of Phantom Goblin is its ability to establish unauthorized remote access to infected systems. The malware achieves this by deploying a malicious binary named “vscode.exe,” which creates a Visual Studio Code tunnel on the compromised machine. This allows the attackers to control the system remotely while bypassing traditional security mechanisms. 
4. Stealthy Exfiltration via Telegram Phantom Goblin’s data exfiltration process is another key component of its covert operation. Using Telegram’s bot API, the malware can send stolen information, including cookies, credentials, and browsing history, to a remote Telegram channel. This technique helps ensure that the stolen data is sent securely and without detection, even as the malware continues to operate on the compromised machine. 
5. Persistence and Evasion Tactics The attackers behind Phantom Goblin take great care to ensure the malware remains undetected and persists on infected systems. The malware’s payloads are designed to appear as legitimate software, such as “updater.exe” or “browser.exe,” which further complicates detection by traditional security tools. The use of trusted services like GitHub and PowerShell for downloading additional payloads makes it harder for antivirus software to identify malicious activity.

Infection Chain and Malicious Payloads 

The infection process begins with the delivery of an email containing a RAR attachment, which houses the malicious LNK file. Upon execution, the LNK file triggers the PowerShell script that downloads and runs additional payloads. Among these payloads are:

• Updater.exe: This component focuses on stealing cookies from popular browsers like Chrome, Edge, and Brave. It achieves this by terminating the browser processes and enabling remote debugging to bypass security measures like App Bound Encryption (ABE). Once the cookies are extracted, they are archived and sent to the attacker’s Telegram bot. 
• Vscode.exe: This binary is responsible for establishing a VSCode tunnel, allowing the attackers to remotely access the infected system. The malware manipulates VSCode’s legitimate update process to maintain a cover, ensuring that it can establish a hidden backdoor into the victim’s machine. 
• Browser.exe: This payload gathers a variety of sensitive information, including browsing history, login credentials, and session data. By targeting a wide range of browsers, it ensures that a broad swath of personal data is collected from the victim’s system. 

Defense Against Phantom Goblin 

To protect systems from Phantom Goblin and similar threats, experts recommend several best practices: 

1. Email Filtering: Implement advanced filtering techniques to block suspicious attachments, particularly those in RAR, ZIP, or LNK formats. Scanning all attachments with up-to-date antivirus software before opening them is crucial. 
2. Disabling VSCode Tunnels: Restrict the use of Visual Studio Code tunneling for unauthorized users by enforcing access controls and authentication mechanisms. Limiting the ability to run VSCode on sensitive systems can help prevent remote access. 
3. PowerShell Restrictions: Disable or restrict the use of PowerShell and script execution on systems unless absolutely necessary. Monitoring for suspicious PowerShell activity, such as the execution of scripts from external repositories, can help detect and block malicious actions. 
4. Browser Security: Implement strong browser security measures to prevent unauthorized debugging and to restrict access to sensitive data stored within browsers. Enforcing multi-factor authentication (MFA) and session timeouts can help further protect browser-based credentials. 
5. Endpoint Protection: Deploy endpoint protection solutions that include real-time threat detection for malicious processes, registry changes, and unusual file downloads. 

Conclusion 

Phantom Goblin highlights how cybercriminals use social engineering and trusted tools to bypass security measures and steal sensitive data. By exploiting vulnerabilities in browsers and developer tools, and leveraging remote access through Visual Studio Code tunnels, the attackers remain undetected and persistent. As a leading Threat intelligence company, Cyble’s cutting-edge products and solutions, including Cyble Vision and Cyble Hawk, provide AI-driven threat intelligence and proactive security measures to help organizations detect, prevent, and respond to cyber threats, ensuring better defense against attacks like Phantom Goblin.