Listen to this Post

Introduction:
A sophisticated Russian phishing campaign, tracked as Operation MoneyMount-ISO, is leveraging a cunning multi-stage attachment chain to bypass traditional email security. By exploiting ISO files—disk image formats that mount as virtual drives—attackers are successfully delivering the potent Phantom information-stealing malware directly into victim memory, evading signature-based detection. This resurgence of ISO-based techniques marks a significant evolution in initial access vectors, blending old formats with modern evasion tactics.
Learning Objectives:
- Understand the technical delivery chain of the Phantom Stealer campaign using ZIP, ISO, and LNK files.
- Learn to identify and analyze suspicious ISO file attachments and their behavior on Windows systems.
- Implement defensive strategies and technical controls to detect and block this ISO-based initial access technique.
You Should Know:
- The Anatomy of the Attack: From ZIP to Memory Execution
The attack chain is designed to bypass email gateways that often block executable (.exe) files. It begins with a phishing email containing a ZIP archive. Inside this archive is an ISO file. When a victim double-clicks the ISO, Windows automatically mounts it as a new virtual drive (e.g., E:). This action itself is a trusted, native Windows function. The mounted drive contains a disguised malicious executable, often camouflaged with a document icon, and a decoy file to lower suspicion. Clicking this executable triggers a process that ultimately injects the Phantom Stealer payload directly into memory, minimizing disk footprint.
Step-by-step guide to manually inspect a suspicious ISO:
Never perform these steps on a production or personal machine without proper isolation. Use a dedicated, disposable virtual machine (VM).
1. Isolate the File: Download or acquire the suspect file within an isolated, sandboxed environment.
2. Examine Without Mounting: On Linux, use command-line tools to inspect contents safely.
List contents of the ZIP without extracting unzip -l suspect_file.zip If it contains an ISO, examine the ISO's contents isoinfo -l -i suspect_file.iso
3. Analyze in a Windows Sandbox: In a secured Windows VM, you can mount the ISO and examine its contents programmatically via PowerShell before execution.
Mount the ISO to inspect (in a safe environment)
Mount-DiskImage -ImagePath "C:\suspect_file.iso"
Get the drive letter it was mounted to
$isoDrive = (Get-DiskImage -ImagePath "C:\suspect_file.iso" | Get-Volume).DriveLetter
List contents
Get-ChildItem -Path "${isoDrive}:\" -Force
Look for files with hidden extensions or abnormal icons
4. Check File Hashes: Obtain the hash of the embedded executable for threat intelligence lookup.
Get-FileHash -Path "${isoDrive}:\malicious_file.exe" -Algorithm SHA256
2. Phantom Stealer’s Capabilities and Data Exfiltration
Once successfully executed in memory, Phantom Stealer springs into action. It is a powerful info-stealer designed to harvest a wide array of sensitive data from the compromised system. Its primary targets include saved browser credentials (passwords, cookies, autofill data), cryptocurrency wallet information, and files from desktop directories. It may also capture screenshots and system information. The stolen data is then typically encrypted and exfiltrated to a command-and-control (C2) server controlled by the attackers, leading to financial fraud, credential stuffing attacks, or corporate espionage.
Step-by-step guide to simulate and understand info-stealer behavior (for defensive analysis):
1. Set Up a Honeytoken: Create fake credential files and browser data in a controlled lab environment to monitor access attempts.
2. Monitor Process Activity: Use Sysinternals Process Monitor (Procmon) on Windows to filter for the malicious process name and see all file, registry, and network operations in real-time.
3. Analyze Network Traffic: Use a tool like Wireshark in your lab to capture outbound traffic. Filter for DNS queries to suspicious domains and HTTP/HTTPS POST requests to unknown IPs, which are indicative of data exfiltration.
In Wireshark, apply a filter to see potential exfiltration: http.request.method == "POST"
4. Use Threat Intelligence: Take the C2 domains or IPs found and look them up in threat intelligence platforms like VirusTotal, AlienVault OTX, or AbuseIPDB to confirm maliciousness.
- Why ISO Files Are the Perfect Bypass Tool
ISO files present a unique challenge for security tools. Many email security gateways and endpoint protection platforms are configured to be highly vigilant against executable attachments (.exe, .ps1, .js) but may treat ISO files—a container format for CD/DVD images—with less scrutiny or even whitelist them for business functionality. Furthermore, when an ISO is mounted, the malicious executable within is launched from a new drive letter, which can bypass security policies that restrict execution from user download directories (likeDownloads). The use of LNK files or disguised icons within the ISO adds another layer of social engineering.
Step-by-step guide to hardening defenses against ISO-based threats:
- Implement Attachment Filtering: Configure your email gateway to block or sandbox incoming ZIP and ISO files from untrusted sources. Treat ISO files with the same suspicion as executables.
- Restrict ISO Mounting via Group Policy: In corporate Windows environments, you can disable the automatic mounting of ISO files via Group Policy.
Navigate toComputer Configuration -> Administrative Templates -> Windows Components -> File Explorer.
Enable the policy: “Turn off automatic mounting of new volumes.” - Apply Attack Surface Reduction (ASR) Rules: Use Microsoft Defender’s ASR rules. The rule “Block executable content from email client and webmail” can help prevent the launch of executables from within mounted ISO images.
- Enable Cloud-Delivered Protection: Ensure Microsoft Defender for Endpoint or your chosen EDR’s cloud-based analytics is enabled, as it can detect the in-memory behavior and script-based activities following ISO execution.
-
Detecting the Attack with EDR and SIEM Queries
Early detection is critical. Endpoint Detection and Response (EDR) tools and Security Information and Event Management (SIEM) systems can be configured with specific queries to hunt for indicators of this attack chain.
Step-by-step guide for creating detection rules:
- Detect ISO Mount Events: Create an alert for rapid succession of events: file written to
C:\Users\\Downloads\.iso, followed immediately by a volume mount event.// Example Splunk/Sentinel query logic DeviceFileEvents | where FileName endswith ".iso" | where ActionType == "FileCreated" | join kind=inner ( DeviceEvents | where ActionType == "VolumeMounted" ) on DeviceId
- Detect Execution from Mounted Drives: Hunt for processes launching from non-standard drive letters (not C:) or from recently mounted volumes.
DeviceProcessEvents | where InitiatingProcessFileName endswith ".exe" | where InitiatingProcessFolderPath startswith "D:\" or InitiatingProcessFolderPath startswith "E:\" | project Timestamp, DeviceName, FileName, FolderPath, AccountName
- Hunt for Phantom Stealer Memory Patterns: Work with your security vendor or open-source threat intelligence to incorporate memory signatures or specific API call sequences associated with Phantom Stealer into your EDR alerts.
5. The Living-off-the-Land (LotL) Connection and Mitigation
As highlighted in the original discussion, this campaign heavily utilizes LotL binaries (BinLOL). The initial binary inside the ISO may be a legitimate, signed tool (like a document converter or a simple installer) that is then used to sideload or fetch the final Phantom payload. This abuse of trusted software makes application allow-listing crucial.
Step-by-step guide to implement LotL mitigations:
- Enforce Application Control: Deploy policies like Windows Defender Application Control (WDAC) to create a default-deny list for executables. Only allow applications from trusted publishers, paths, or with specific certificates.
- Restrict Script Execution: Use Group Policy to restrict PowerShell script execution and constrain PowerShell language modes.
Check the current execution policy Get-ExecutionPolicy -List Set a restrictive policy via GPO or locally Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine
- Enhanced Logging: Enable PowerShell script block logging and AMSI (Antimalware Scan Interface) integration to scan scripts and payloads in memory before execution.
- User Training: Conduct regular phishing simulations that specifically test for archive file attachments (ZIP, ISO, RAR) and educate users on the dangers of “enabling content” or running files from mounted drives.
What Undercode Say:
- Tactical Regression is a Key Offensive Strategy. Attackers are not always innovating with new exploits; they are expertly repurposing older, less-monitored techniques like ISO files. This “what’s old is new again” approach directly targets defense gaps created by an over-focus on the latest threats.
- The Blurred Line Between User Convenience and Security Risk. The native, automatic mounting of ISO files in Windows is a feature designed for user convenience. Operation MoneyMount-ISO starkly illustrates how such features are weaponized, forcing defenders to make difficult choices between usability and security, often requiring the disabling of core OS functionalities.
Analysis: This campaign is a masterclass in adversary adaptation. It bypasses not just technical controls but also human psychology—users are less wary of a “disk image” than an “application.” The shift to memory-only execution of the final payload shows a direct counter to improved disk-scanning capabilities in modern antivirus. Defenders must now prioritize behavior-based detection over static file analysis and aggressively control the execution chain from email gateway to endpoint memory. The commentary noting this as a Living-off-the-Land tactic is precise; the attack minimizes its malicious footprint by exploiting trusted system functions (mounting drives) and potentially using legitimate binaries, making it silent and highly effective.
Prediction:
The success of Operation MoneyMount-ISO will catalyze a rapid, widespread adoption of ISO and other virtual disk file formats (like VHD, IMG) by phishing campaigns across the threat landscape, not just Russian-affiliated groups. We will see a corresponding tightening of default security policies in major operating systems, potentially leading Microsoft to change the default auto-mount behavior for ISO files in future Windows releases. Furthermore, info-stealers like Phantom will continue to evolve towards more modular, fileless persistence, pushing the industry’s detection focus deeper into memory analysis and lateral movement behavior, making robust EDR and skilled threat hunting teams non-negotiable for enterprise defense.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Michael Tchuindjang – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


