EXECUTIVE SUMMARY:
A malware campaign, dubbed Operation PhantomCLR, to weaponize a legitimate Intel utility and secretly deploy malware. The attack exploits the AppDomainManager mechanism in Microsoft's.NET runtime, allowing the malicious code to run first and before the Intel program even begins its normal operations, making it almost invisible to traditional security tools. Organizations in the Middle East and EMEA financial sectors are the primary targets of this operation, with attackers gaining initial access through spear-phishing emails carrying a malicious ZIP archive. The level of design discipline, modular architecture, and anti-forensic techniques observed indicate the work of a well-resourced actor.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A malware campaign, dubbed Operation PhantomCLR, to weaponize a legitimate Intel utility and secretly deploy malware. The attack exploits the AppDomainManager mechanism in Microsoft's.NET runtime, allowing the malicious code to run first and before the Intel program even begins its normal operations, making it almost invisible to traditional security tools. Organizations in the Middle East and EMEA financial sectors are the primary targets of this operation, with attackers gaining initial access through spear-phishing emails carrying a malicious ZIP archive. The level of design discipline, modular architecture, and anti-forensic techniques observed indicate the work of a well-resourced actor.[emaillocker id="1283"]
The attack works by placing a weaponized configuration file next to a legitimate Intel binary called IAStorHelp .exe, a real, signed Intel storage utility. When a.NET application starts up, the runtime automatically looks for a configuration file in the same folder as the executable. The malicious code runs first, before the Intel program even begins its normal operations, making it almost invisible to traditional security tools. The level of and design discipline observed in this attack suggests that it may be the work of a well-resourced actor.
The significance of this attack is that it highlights the need for organizations to take a proactive approach to securing their .NET applications and configuring the AppDomainManager mechanism. By enabling constrained execution environments and following best practices for securing.NET applications, organizations can limit the abuse of.NET runtime components and scripting engines. This will help to prevent attacks like Operation PhantomCLR and reduce the risk of malware deployment through legitimate applications.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Execution | T1204.002 | User Execution | Malicious File |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defence Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Defence Evasion | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| Collection | T1005 | Data from Local System | - |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Execution | E1204 | User Execution |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Anti-Static Analysis | E1027 | Obfuscated Files or Information |
| Discovery | E1082 | System Information Discovery |
| Defense Evasion | B0029 | Polymorphic Code |
| Anti-Behavioral Analysis | B0003 | Dynamic Analysis Evasion |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/hackers-use-appdomain-hijacking/
[/emaillocker]