A new phishing campaign targeting healthcare and IT organizations in Russia has been attributed to the Rainbow Hyena cluster. The attackers used compromised email addresses to distribute malicious attachments, including polyglot files and LNK files mimicking legitimate documents. A new custom-built backdoor called PhantomRemote was identified, capable of system information gathering and command execution. The campaign demonstrates a shift in tactics, with threat actors abandoning traditional malicious documents in favor of alternative formats. The sophistication of the tools and techniques suggests a move towards more conventional illicit activities such as espionage and financial gain. Author: AlienVault
Related Tags:
PhantomRemote
LNK files
T1132.001
Russian Federation
T1059.003
T1071.001
Healthcare
T1012
T1573
Associated Indicators:
4C78D6BBA282AAFF0EAB749CFA8A28E432F7CBF9C61DEC8DE8F4800FD27E0314
47262571A87E70238BD6AFD376560E9CFDC94BFACAE72F36B6AA9FB6E769EB9C
204544FC8A8CAC64BB07825A7BD58C54CB3E605707E2D72206AC23A1657BFE1E
4D4304D7AD1A8D0DACB300739D4DCAADE299B28F8BE3F171628A7358720CA6C5
413C9E2963B8CCA256D3960285854614E2F2E78DBA023713B3DD67AF369D5D08
A9324A1FA529E5C115232CBBC60330D37CEF5C20860BAFC63B11E14D1E75697C
ED9B24A77A74CD34C96B30F8DE794FE85EB1D9F188F516BD7D6020CC81A86728
DA53C49641B05E00CDE09D47260DA927EC403F01AC388605B785EAC98306F9C2
01F12BB3F4359FAE1138A194237914F4FCDBF9E472804E428A765AD820F399BE