How PHANTOM v3 Silently Outsmarts Kaspersky: The Ultimate EDR Bypass Deep Dive + Video

Listen to this Post

Featured Image

Introduction:

Modern Endpoint Detection and Response (EDR) solutions like Kaspersky rely heavily on API hooking to monitor process behavior. Attackers have evolved from simple malware to sophisticated tools like PHANTOM v3, which bypass these defenses by executing indirect system calls, spoofing parent processes, and manipulating memory to appear as benign Windows processes. This article dissects the technical mechanics of the recent PHANTOM v3 simulation, providing a comprehensive guide to the offensive techniques used and the defensive strategies required to detect them.

Learning Objectives:

  • Understand how EDRs hook Windows API calls and how indirect syscalls evade this monitoring.
  • Learn to implement process injection techniques such as PPID spoofing and sleep obfuscation.
  • Identify forensic artifacts and detection rules to identify system call-based attacks.

You Should Know:

  1. The Anatomy of an EDR Bypass: Indirect Syscalls and PEB Walking

Step‑by‑step guide explaining what this does and how to use it.
The core evasion technique used by PHANTOM v3 is the execution of indirect system calls. Traditional malware uses Windows API functions like `CreateRemoteThread` or NtCreateThreadEx, which EDRs hook by placing a jump (JMP) instruction at the beginning of the function in ntdll.dll. When a program calls that API, execution diverts to the EDR’s driver for inspection.

PHANTOM v3 bypasses this by resolving the System Service Number (SSN) directly from the Process Environment Block (PEB) and executing the syscall instruction manually. Here’s how to simulate this behavior:

  • Resolve SSNs via PEB Walk: On Windows, `ntdll.dll` is mapped into memory. By walking the PEB, you can locate the base address of `ntdll` and parse its export table to find the address of functions like NtCreateProcess. The SSN is the first 4 bytes of the function’s opcodes (e.g., mov eax, ssn).
  • Implement Indirect Syscall: Instead of calling the hooked function, use assembly to move the SSN into the `eax` register and call the `syscall` instruction. This jumps directly to the kernel, bypassing user-mode hooks entirely.

Example (Assembly Snippet):

mov r10, rcx
mov eax, ssn ; System Service Number
syscall
ret

Defensive Detection: While difficult, defenders can monitor for anomalies like the `syscall` instruction being executed from non-ntdll memory regions. EDRs are now deploying Kernel Callback routines (e.g., PsSetCreateProcessNotifyRoutine) to catch process creation at the kernel level, bypassing user-mode blind spots.

  1. Mastering Process Injection with PPID Spoofing and Sleep Obfuscation

Step‑by‑step guide explaining what this does and how to use it.
To avoid detection, PHANTOM v3 ensures the malicious process masquerades as a legitimate child of `explorer.exe` (PPID Spoofing) and evades memory scanning via sleep obfuscation.

PPID Spoofing: This technique prevents the EDR from flagging a process as suspicious because its parent is a trusted binary.
1. Obtain a Handle: Use `CreateToolhelp32Snapshot` to locate the PID of a trusted process (e.g., explorer.exe).
2. Initialize Attributes: When calling `NtCreateProcess` or CreateProcess, use the `PROC_THREAD_ATTRIBUTE_PARENT_PROCESS` attribute to set the parent PID to the trusted process.
3. Result: The new process (e.g., rundll32.exe) appears to have been launched by `explorer.exe` in process trees, evading basic behavioral analysis.

Sleep Obfuscation: To avoid memory scanning (where EDRs scan process memory during execution pauses), PHANTOM v3 replaces `Sleep` with custom timing loops.
– Standard Sleep: `Sleep(5000)` triggers a context switch, allowing the EDR to scan the suspended thread.
– Obfuscated Sleep: Using a high-resolution timer loop that keeps the thread in a running state but burns CPU cycles.

void ObfuscatedSleep(int seconds) {
LARGE_INTEGER start, end, freq;
QueryPerformanceFrequency(&freq);
QueryPerformanceCounter(&start);
while (1) {
QueryPerformanceCounter(&end);
if ((end.QuadPart - start.QuadPart) / freq.QuadPart >= seconds)
break;
// Decrypt/Encrypt shellcode or execute benign arithmetic
_mm_pause(); // Prevents CPU overheating while busy
}
}

Defensive Note: This technique increases CPU usage. EDRs can detect such loops by monitoring high-frequency performance counter queries or using memory scans that do not rely on thread state (asynchronous scanning).

  1. Credential Harvesting: Chrome ABE Bypass and Credential Extraction

Step‑by‑step guide explaining what this does and how to use it.
The post highlights chrome_v20_pwds, indicating extraction of credentials from Chrome. Modern browsers use the Application Bound Encryption (ABE) key, which ties encryption to the application identity, preventing simple decryption by other processes.

The Bypass:

PHANTOM v3 likely uses process injection into `chrome.exe` or `msedge.exe` to execute the decryption logic within the browser’s own context.
1. Inject into Chrome: Use a technique like APC injection or thread hijacking to run a payload inside the Chrome process.
2. Call Decryption APIs: From inside Chrome, the code can call the browser’s native decryption functions (e.g., `CryptUnprotectData` for older Windows DPAPI or Chrome’s internal OSCrypt).
3. Extract to C2: The extracted credentials are then exfiltrated via the established beacon connection.

Defensive Mitigation:

  • Linux/Windows Command: Monitor for cross-process injection using Sysmon Event ID 8 (CreateRemoteThread) or Event ID 10 (ProcessAccess).
  • Hardening: Enable Application Guard for Edge or enforce Credential Guard to isolate lsass.exe, though it is less effective against browser-internal execution.

4. Privilege Escalation: getsystem_v3 and NT AUTHORITY\SYSTEM

Step‑by‑step guide explaining what this does and how to use it.
Once inside the machine, the attacker elevates privileges to SYSTEM. The `getsystem_v3` module likely utilizes a combination of token manipulation and service exploitation.

Technique: Named Pipe Impersonation

This is a classic method where a service running as SYSTEM is coerced into connecting to a malicious named pipe.
1. Create Pipe: The attacker creates a named pipe with a known name that services usually connect to (e.g., \\.\pipe\spoolss).
2. Start Service/Process: The attacker starts a service or triggers a COM object that runs as SYSTEM, causing it to connect to the pipe.
3. Impersonate Client: Using ImpersonateNamedPipeClient, the attacker’s thread assumes the SYSTEM token.

Code Example (Windows):

HANDLE hPipe = CreateNamedPipe(
L"\\.\pipe\spoolss",
PIPE_ACCESS_DUPLEX,
PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT,
PIPE_UNLIMITED_INSTANCES,
512, 512, 0, NULL);
ConnectNamedPipe(hPipe, NULL);
ImpersonateNamedPipeClient(hPipe);
// Now running as SYSTEM

Detection: Enable Sysmon Event ID 17 (Pipe Created) and 18 (Pipe Connected) to audit named pipe operations. Look for unexpected `CreateNamedPipe` calls from non-spoolsv.exe processes.

What Undercode Say:

  • Offensive Evolution: PHANTOM v3 demonstrates that EDRs are no longer sufficient when facing attackers who understand kernel transition mechanisms. Relying solely on user-mode hooks is a losing strategy.
  • Defensive Necessity: To combat this, organizations must layer defenses. Kernel-level telemetry (e.g., Sysmon with kernel drivers, ETW TI), memory scanning that ignores thread state, and strict application control (AppLocker/WDAC) are critical to block the initial execution vectors like Office macros.

Prediction:

The arms race will shift entirely to the kernel. We predict an increase in “Bring Your Own Vulnerable Driver” (BYOVD) attacks to disable EDR kernel drivers, alongside the rise of EDRs integrating AI to detect anomalous syscall sequences rather than just specific API calls. The next generation of EDR will rely on behavioral signatures derived from syscall frequency and argument analysis, rendering simple syscall redirection obsolete within the next 18 months.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mehdi Le – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky