PhantomNet
Description
(ESET) The backdoor was named Smanager_ssl.DLL by its developers but we use PhantomNet, as that was the project name used in an older version of this backdoor. This most recent version was compiled on the 26th of April 2020, almost two months before the supply-chain attack. In addition to Vietnam, we have seen victims in the Philippines, but unfortunately we did not uncover the delivery mechanism in those cases. This backdoor is quite simple and most of the malicious capabilities are likely deployed through additional plugins. It can retrieve the victim’s proxy configuration and use it to reach out to the command and control (C&C) server. This shows that the targets are likely to be working in a corporate network.
Names
| Name |
|---|
| PhantomNet |
| SManager |
Category
Malware
Type
- Reconnaissance
- Backdoor
- Loader
Information
- https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/
- https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager
- https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4
- https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214
Malpedia
Other Information
Uuid
41b6f923-e7a8-4e88-bbea-1894be386ed4
Last Card Change
2021-04-24