Threat Advisory: Phantom in the Command Shell Campaigns Target Financial Industry

May 8, 2020

Researchers at Prevailion have reported a new operation called Phantom in the Command Shell. The operations have been targeting financial firms across the globe using the Evilnum malware, which is being distributed to victims using a Google Drive share link.

Clicking on the Google Drive share link downloads a malicious zip archive file to the host. When decompressed, the file grants access to a Microsoft shortcut (LNK) file masquerading as a JPEG or PDF file. According to the Prevailion blog, "the first set of lures uses basic Know Your Customer elements (e.g. driver's license, credit cards, credit history documents, etc.) while a second subcluster includes a document that appears to impersonate an established financial services organization, and referenced their 2020 GDPR compliance plan".

Given the nature of these lures, it's assumed that these efforts were targeted towards select financial institutions rather than wide-scale spamming. 

Once any file within the archive is opened, a malicious component, the "o.js" file is dropped. The file is written using the Phantom language and is a traditional trojan based malware. It gathers Windows host information using Windows Management Instrumentation (WMI) and communicates with a command and control server to receive commands and export data.

Indicators of Compromise for the Phantom in the Command Shell operation include:
GDrive URLs
  • hxxps://drive[.]google[.]com/uc?auth_user=0&id=1KjJy7FCn-4IN7rsOSwWmSab3xVfY-wNn&export=download
  • hxxps://docs[.]google[.]com/uc?authuser=0&id=1TROQjDFvR1pw7QckQq1TUVnOYUK6tR6Q&export=download
Zip Files
  • 0f4b51dafe6bd75bce2cfbd1fe16d1af91fd958084e23b526671b4e05423f9ee
  • 97aa67531305da6fb73198fabd05b0592705c427519670a218d68d9def83f764
  • 83f1af96b4a15b3b8ec7490de83555000800779d6456ccd017ba02623704f80c
Microsoft ShortCut (Lnk) Files
  • 9666285017da522bc193fdfa89ecec0ebb8f382aed04260f9c3dc6520bcb23b5
  • b89cc69c63894c4b263be5a7b7390d3f8500a8ed4834882a7282ebca301e528e
  • 951ca0adc511173018277b090a9eae3fb389092e095dbc4a0c9b67181dc43d1b
  • 7c0e1b2c7bfab05f69cb8f2412e8c6423549ca8d675fcb092c196e6710e6cad6
  • 4930874f700dd81bff1c0f2ec7a8f55741987e102be8164bdc4aad6ea97062cb 
  • 1bd7598549a967fe6df9c79a173e3f6c6721ec21088e5e1543e2865436cce284 
  • 88537039a4b87ff55ef9a57c21f728ecf90e40e532486913d763e16db04ccac4 
  • 01f1f23649920e30d510f6ae48e370c82dd57ce0817d12f649615d7188c9b0e2 
  • ca23b0c263652259fc9163d9981033913c9aa3d51a23b1e43f145ca0e0960a30 
  • Ceb892d73cbfea205239dab384101305a957bfd675486a126787a74068c1ddea
  • 83e5eeb549543e16f98eb26d848194baa8273d5e0408c72222999535f91434fe 
  • 4e734713911d2bcb1ba9da2752e529387fe176aa2da0c043593c412e7dec1ade 
  • Bb8b6c6b9b157b093ba5ff60ec5e9e9268b3efa4ebd46a403859a4d65d21cce7
  • 7d643b369be21f07be4893097084e685f8ea7583d01f19ece6ee3bb86cec062e
  • 69d94240bf1b3dae168934be93d742e2b5e41c2767b4573ccabf3c79c8a017d4
  • E06ab6b87c4977c4ee30f3925dd935764a0ec0da11458aca4308da61b8027d76
  • 79ddc62bcab8efaef586c7e4202fa6a40a82a37571cbab309812602f7a03162b
Core Agent
  • Javascript agent version 4.0
    • 75ae7bbdbfccde37a545a6b316e885e9a6d1ecf3c069fa48594a6db6f30c41d0
  • Javascript agent version 3.6
    • 8c770d3424324030887fd6efcd7b989129f1430b8dafb482372240e93c009a24
    • 951ca0adc511173018277b090a9eae3fb389092e095dbc4a0c9b67181dc43d1b
  • Javascript agent version 3.5
    • ba4ca5ae0aeb7916a6b08320830bb48c756f7ebaa281431e1311cb66dba3bca0
    • 8100351010C260A7BDC2D283065097140418B5A33CF682F902E793FFAED263D4
  • Media.reg
    • 9FEE4514F8B3027AD045E67EE8D80317DD2AFBF7A996C97F47C216EAD011B070
  • MediaIE.reg
    • 6cc5a6ce509a7bbbcaeab1f0635c8b14cbd6a5503cde799de3163fbf70221301
C2 Retrieval URLs
  • hxxps://gitlab[.]com/bliblobla123/testingtesting/-/raw/master/README.md
  • hxxps://www.digitalpoint[.]com/members/bliblobla.943007/
  • hxxps://gitlab[.]com/jhondeer123/test/raw/master/README.md
  • hxxps://www.digitalpoint[.]com/members/johndeer123.923670/
  • hxxps://gitlab[.]com/jhondeer123/test/raw/master/test.py
Command and Control Node
  • hxxp://139.28.37[.]63
  • hxxp://185.62.190[.]89
  • hxxp://185.62.190[.]218
Mitigation Strategies

In order to help mitigate against the Phantom campaign, Herjavec Group recommends the following:

  • Blocking the IOCs noted above
  • Search proactively for additional relevant IOCs in the SIEM and via back search
  • Diligently monitor inboxes, user names, emails and don't click on suspicious links or attachments to mitigate threats posed by phishing attacks 

For existing MSS customers, HG can assist in proactively implementing the mitigation strategies suggested. 

Herjavec Group's Threat Management & Incident Response team is available for further support and consultation. If you need Incident Response support or Security Expertise, please connect with us.

Herjavec Group continues to track COVID-19 related cyberattacks. We have a complete resource center tracking COVID-19 related threats, malware types, as well as a summary of IOCs and domains specific to COVID-19. Review it here.


For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.


About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn