🎯Hackers are tricking people in finance into using a fake version of a popular tool called Obsidian. When they do, the hackers can secretly install malware on their computers without the victims even knowing!
How It Works
Threat actors have ingeniously weaponized the Obsidian Shell Commands community plugin to execute malicious code on victims' machines without exploiting any software vulnerabilities. This campaign, tracked as REF6598, primarily targets individuals within the financial and cryptocurrency sectors. The attackers initiate contact through LinkedIn, posing as representatives from a venture capital firm. Once a target engages, they are invited to a Telegram group where fake partners enhance the legitimacy of the interaction.
Victims are then directed to use Obsidian, falsely presented as the firm's internal management database, and provided with credentials to access a cloud-hosted vault controlled by the attackers. This strategic manipulation allows the attackers to execute commands immediately upon the vault's opening, requiring no further interaction from the victim.
Who's Being Targeted
The campaign specifically targets professionals in the financial and cryptocurrency industries, capitalizing on the trust and familiarity these individuals have with productivity tools like Obsidian. By leveraging social engineering tactics, the attackers increase their chances of success in executing the malware.
Signs of Infection
Indicators of compromise include unusual child process creation from Electron-based applications like Obsidian. Security teams should be vigilant for suspicious PowerShell executions linked to the Obsidian process, as these may indicate an ongoing attack.
How to Protect Yourself
Organizations should enforce strict community plugin installation policies and deploy behavioral endpoint detection tools to monitor for unusual activity. Security teams are advised to hunt for file events that match obsidian-shellcommands paths and block known malicious infrastructure, including IP addresses like 195.3.222[.]251 and panel.fefea22134[.]net. Additionally, Elastic Security Labs has published YARA rules for detecting the malware variants PHANTOMPULL and PHANTOMPULSE, which can serve as a practical starting point for detection.
Technical Details
The malware exploits a unique command-and-control (C2) resolution technique that utilizes public Ethereum blockchain data. PHANTOMPULSE queries Blockscout APIs across multiple blockchain networks to retrieve XOR-encrypted C2 URLs from transactions linked to a hardcoded wallet address. A notable design flaw allows any entity that extracts the wallet address and XOR key from the malware to redirect infected hosts to a sinkhole server, highlighting a critical vulnerability in the attack's infrastructure.
Immediate Actions
Organizations in the financial and cryptocurrency sectors should enhance their monitoring capabilities and ensure that all security measures are up to date. Regular training on recognizing social engineering tactics can also empower employees to identify and report suspicious communications.
The use of trusted productivity tools in cyberattacks underscores the need for organizations to reevaluate their security policies, particularly regarding third-party plugins and social engineering defenses.
