eSentire Unveils Operation PhantomControl

Category: Threat Actor Activity | Industry: Global | Source: eSentire

Through the analysis of suspicious PowerShell commands during July 2023, eSentire researchers identified malicious ScreenConnect activity, unveiling an intrusion that eSentire attributes as Operation PhantomControl. The ScreenConnect tool was delivered through a compromised website, with eSentire's Threat Response Unit (TRU) further uncovering a vast infrastructure of at least 20 domains including one from 'Teachflix,' a classroom learning and video-sharing site. Once the threat actors obtained access through the ScreenConnect remote access tool, they dropped various files under the ProgramData folder. They also executed scripts involving batch, PowerShell, and Virtual Basic to push their remote access trojan such as AsyncRAT to obtain user data and credentials. One of the most notable payloads is a PowerShell script masquerading as an SVG file that performs process hollowing using an obfuscated binary, loads the AsyncRAT payload, writes PowerShell and VBS files to a specific folder, creates persistence with a scheduled task, and executes additional PowerShell and batch files.