Operation PhantomCLR Hijacks Intel Driver to Deploy Stealthy Malware
Operation PhantomCLR exploits a legitimate Intel driver to hijack the .NET CLR and deploy malware, bypassing security tools by using a trusted, signed binary without modifying its code.
MITRE ATT&CK® TTPs (1)
Click any technique to view details on attack.mitre.org
Executive Summary
Security researchers have identified a sophisticated attack campaign, dubbed Operation PhantomCLR, that weaponizes a legitimate, digitally signed Intel driver to hijack the .NET Common Language Runtime (CLR) and deploy malware. The technique, known as AppDomain Manager hijacking, allows attackers to execute malicious payloads from memory without altering the original trusted binary, effectively bypassing many security controls that rely on signature validation and file integrity checks.
Technical Analysis
The attack centers on the exploitation of a legitimate Intel driver utility, IntelBTH.exe, which is signed by Intel Corporation. According to researchers, the attackers do not modify this binary. Instead, they manipulate the .NET runtime environment to load a malicious assembly. The core of the technique is the hijacking of the AppDomain Manager, a component within the .NET CLR responsible for initializing application domains. By setting a specific registry key (COR_ENABLE_PROFILING and COR_PROFILER) or environment variable, attackers can force a .NET application—or in this case, a trusted utility that loads the CLR—to load a designated malicious DLL during startup.
In Operation PhantomCLR, the attackers configure the system so that when the signed Intel utility executes, the CLR loads a malicious profiler DLL. This DLL, operating from within the trusted process's memory space, then deploys the final malware payload. The entire chain executes from memory, leaving no malicious artifacts on disk from the initial loader, which significantly complicates detection for traditional antivirus and endpoint detection and response (EDR) solutions.
Tactics, Techniques & Procedures
The primary technique observed is AppDomain Manager Hijacking (T1574.012), a sub-technique of Hijack Execution Flow. This falls under the broader MITRE ATT&CK tactic of Defense Evasion. The operation demonstrates a living-off-the-land (LotL) approach by abusing a trusted, signed vendor binary (IntelBTH.exe). The attack flow involves establishing persistence likely via registry modification to set the CLR profiling environment variables, enabling the malicious DLL to be loaded each time the utility runs. Execution occurs entirely in memory, aligning with the In-Memory Execution (T1055) technique to avoid disk-based detection.
Threat Actor Context
The campaign is tracked under the name Operation PhantomCLR. The source material does not attribute the activity to a known advanced persistent threat (APT) group or financially motivated actor. The high degree of technical sophistication, focusing on stealth and abuse of trusted components, suggests the work of a capable threat actor, but specific origins, motivations, and targets remain unclear from the provided information.
Mitigations & Recommendations
Organizations should monitor for suspicious registry modifications related to the .NET CLR, particularly the HKLM\SOFTWARE\Microsoft\.NETFramework or HKCU\SOFTWARE\Microsoft\.NETFramework keys where COR_ENABLE_PROFILING and COR_PROFILER values can be set. Application control or allow-listing policies can be effective if configured to block unexpected CLR profiling. Endpoint security tools should be tuned to detect in-memory .NET assembly loading and execution from signed binaries that do not typically exhibit such behavior. Monitoring process lineage for trusted vendor processes spawning unusual child processes or making anomalous network connections is also advised.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
