Full Report
Table of Contents: Introduction: Targeted sectors: Initial Findings about Campaign: Analysis of Phishing Mail: Infection Chain: Technical Analysis: Stage-1: Analysis of Malicious ISO file. Stage-2: Analysis of Executable. Analysis of 1st Payload Analysis of 2nd Payload (Phantom Stealer) Conclusion: Why Operation MoneyMount-ISO? Seqrite Coverage: IOCs MITRE ATT&CK Introduction: At Seqrite Labs, we continuously monitor global […] The post Operation MoneyMount-ISO — Deploying Phantom Stealer via ISO-Mounted Executables appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Tool/Technique: Phantom Stealer
## Overview
Phantom Stealer is an information-stealing malware deployed in the "Operation MoneyMount-ISO" campaign. It is delivered via a multi-stage chain starting with a phishing email, utilizing a malicious ISO file mounted as a virtual disk to conceal and execute the payload. The malware focuses on stealing sensitive user data, credentials, cryptocurrency wallets, and application tokens from the infected system.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (Inferred from execution chain and system discovery checks)
- Capabilities: Credential theft, token theft (Discord), cryptocurrency wallet theft, process/system discovery, anti-analysis routines.
- First Seen: Implicitly active around December 2025 (date of the article).
## MITRE ATT&CK Mapping
- **Initial Access**
- T1566.001 - Phishing: Attachment
- T1204.002 - User Execution: Malicious File
- **Execution**
- T1106 - Native API Execution / Binary Execution
- T1204.002 - Drive-by Social Engineering (Relevant to ISO execution)
- **Defense Evasion**
- T1027 - Encrypted/Obfuscated Payload
- T1027.003 - Steganography / Payload in Image (Implied by using System.Drawing.Bitmap)
- T1497 - Virtualization/Sandbox Evasion
- T1036 - Masquerading
- T1070.004 - Self-Deletion
- **Payload Loading**
- T1055.001 - DLL Injection
- T1620 - Reflective Loading / In-Memory Execution
- **Discovery**
- T1082 - System Information Discovery
- T1057 - Process Discovery
- T1518.001 - Security Software Discovery
- **Credential Access**
- T1555.003 - Credential Access from Web Browsers
- T1528 - Application Token Theft (Discord)
- T1555 - Cryptocurrency Wallet Theft
- **Collection**
- T1056.001 - Keylogging
- T1115 - Clipboard Collection
- T1039 - File Collection
- T1119 - Browser Data Collection
- **Exfiltration**
- T1567.002 - Exfiltration Over Web Services (Telegram identified)
- T1530 - Exfiltration to Cloud/Webhook (Discord identified)
- T1048 - Exfiltration Over Unencrypted/FTP Channels
- T1560.001 - Data Staged in Archive (ZIP)
## Functionality
### Core Capabilities
- Data exfiltration predominantly targeting Telegram, Discord, and various browser/wallet data stores.
- Execution involves a staged process: malicious ZIP $\rightarrow$ ISO file $\rightarrow$ executable $\rightarrow$ `CreativeAI.dll` (containing encrypted payload) $\rightarrow$ Phantom Stealer execution/injection.
- Targets credentials, application tokens (e.g., Discord), and cryptocurrency wallet information.
### Advanced Features
- **ISO Mounting Bypass:** Uses a malicious ISO file to masquerade the executable installation as mounting a disk image, aiding in bypassing basic email gateway controls that might flag ZIP contents directly.
- **Anti-Analysis:** Implements checks for suspicious usernames, machine names, enumerates GPU adapters for VM identifiers, and scans running processes/services associated with analysis environments (sandboxes, debuggers). If detected, it executes `SelfDestruct.Melt()`.
- **In-Memory Execution:** The first payload (DLL) decrypts and injects the final Phantom Stealer payload directly into memory for stealth.
- **Data Hiding:** Potential use of steganography within images (`System.Drawing.Bitmap`) to hide embedded code or data.
## Indicators of Compromise
- File Hashes:
- Email Hashes (ZIP): `4b16604768565571f692d3fa84bda41ad8e244f95fbe6ab37b62291c5f9b3599` (Note: This is likely the ZIP hash)
- ISO Hash: `60994115258335b1e380002c7efcbb47682f644cb6a41585a1737b136e7544f9`
- Executable Hash (HvNC.exe): `78826700c53185405a0a3897848ca8474920804a01172f987a18bd3ef9a4fc77`
- File/Payload Hash (Unspecified stage, possibly the initial executable): `27bc3c4eed4e70ff5a438815b1694f83150c36d351ae1095c2811c962591e1bf`
- File Names:
- ZIP: `Подтверждение банковского перевода.zip`
- ISO: `Подтверждение банковского перевода.iso`
- Executable: `HvNC.exe` (Appears after stage 2 execution)
- Registry Keys: Not explicitly listed.
- Network Indicators:
- Exfiltration to Telegram (T1567.002)
- Exfiltration to Discord (T1530)
- Behavioral Indicators:
- Execution from a filesystem location created by mounting an ISO file.
- Injection of code from `CreativeAI.dll`.
- Discovery checks targeting security software, processes, and system configurations.
## Associated Threat Actors
- While Phantom Stealer is frequently associated with commodity malware distributors, this specific campaign ("Operation MoneyMount-ISO") originated from **Russia** and specifically targeted **Finance/Accounting/Treasury** roles within Russian organizations.
## Detection Methods
- Signature-based detection: Seqrite Coverage noted as `Trojan_Phantom_Y10018`.
- Behavioral detection: Monitoring for processes spawned immediately after the mounting of an ISO file that attempt in-memory execution or DLL injection.
- YARA rules: (Not explicitly provided in the summary, but derivable from the payload analysis).
## Mitigation Strategies
- Continuous filtering of containerized attachments (ZIP, ISO) at the email gateway.
- Hardening finance-facing mail workflows to increase scrutiny on payment confirmation lures.
- Endpoint detection and response (EDR) focused on memory behavior, specifically monitoring for Reflective Loading and DLL Injection from unexpected loaded modules.
- Disabling or restricting the ability of users to auto-mount or execute files directly from virtual media drives mounted from email attachments.
## Related Tools/Techniques
- Steganography (T1027.003) used for payload concealment.
- Other commodity Information Stealers (Implied, as Phantom Stealer is often sold/rented).
- ISO/WIM file usage for initial access (similar evasion techniques used by actors delivering Emotet or QakBot attachments).