Operation PhantomCLR: Advanced AppDomain Hijacking Targets Financial Sectors

Severity: High (Score: 66.8)

Sources: Cybersecuritynews, Cyfirma

Summary

A sophisticated cyber attack campaign, named Operation PhantomCLR, has been identified, targeting organizations in the Middle East and EMEA financial sectors. The attackers exploit a legitimate Intel utility, IAStorHelp.exe, using .NET AppDomainManager to execute malicious code without altering the original signed binary. This method allows the malware to bypass traditional security measures, including EDR and antivirus solutions. Once the command-and-control communication is established via Amazon CloudFront, attackers can access sensitive data such as credentials and financial records. The malware employs anti-forensic techniques to erase memory artifacts, complicating post-incident investigations. The attack demonstrates a significant evolution in attacker tradecraft, emphasizing the need for advanced detection mechanisms. Organizations affected should consider their systems fully compromised and prepare for potential lateral movement by the adversary. Key Points: • Operation PhantomCLR exploits a legitimate Intel utility for stealthy malware deployment. • The attack targets financial sectors in the Middle East and EMEA, indicating a broad impact. • Traditional security measures are bypassed, necessitating advanced detection strategies.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• Operation PhantomCLR (campaign)
• Financial (industry)
• Brute Ratel C4 (malware)
• Cobalt Strike (malware)
• NightHawk (malware)
• T1055.001 - Dynamic-link Library Injection (mitre_attack)
• T1055 - Process Injection (mitre_attack)
• T1071.001 - Web Protocols (mitre_attack)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• T1574 - Hijack Execution Flow (mitre_attack)
• Amazon CloudFront (platform)
• Microsoft Edge (platform)
• Windows (platform)