Detecting Phantom Goblin: ABE Bypass and VSCode Abuse
Phantom Goblin is one such malware activity picked up by Cyble researchers where social engineering practices are employed in the propagation of stealers.
The attack begins when an archive file, perhaps downloaded as a drive-by-download, is extracted. Following extraction, a malicious link file is executed, which invokes an encoded PowerShell command to download payloads. The payloads are executable files that pretend to be authentic programs, e.g., vscode.exe, updater.exe, and browser.exe. The browser.exe program steals browser-sensitive information, while updater.exe evades App Bound Encryption (ABE).
While most of the methods employed by Phantom Goblin are loud, some are quite impressive. One of those is evading ABE cookie stealing by running browsers in headless mode and remote debugging. The method also evades Endpoint Detection and Response (EDR) tools. The malware affects Chrome, Edge, and Brave browsers, running commands with arguments such as "headless", "remote-debugging-port", and "remote-allow-origins".
In addition, the vscode.exe process masquerades. It sets up an authentication tunnel. The other intriguing way is to exploit Visual Studio Code to build a remote tunnel. The tunnel is used to execute malicious PowerShell and send VSCode tunnel data to a Telegram bot for further exfiltration.
To detect this activity, check for the process name code.exe with "tunnel"