TrojanDropper:Win32/PhantomStar.A!dha is the detection for the self-extracting RAR file which is placed on the target device and launches Trojan:Win32/PhantomStar.A!dha or Trojan:Win32/Autophyte.A!dha. This malware has been linked with Diamond Sleet and is used to gain initial access to a target's network.
Remove the affected system from the network
Thoroughly investigate for other infections in the network
Threat behavior
Upon launching the self-extracting RAR file, the malware installs
%Temp%\EnTaskLoader.exe, which is detected as Trojan:Win32/PhantomStar.A!dha, or Trojan:Win32/Autophyte.A!dha
Job Inquiry 2017.docx, which is a clean document containing a resume and is left in the current folder.
The trojan dropper then launches EnTaskLoader.exe which installs copy of itself as: %localappdata%\Java\bin\jdk1.8.0_73\javafxpackager.exe, which is detected as Trojan:Win32/PhantomStar.A!dha or Trojan:Win32/Autophyte.A!dha.
EnTaskLoader.exe/javafxpackager is a remote access trojan and disguises itself as DRM Migration DLL.
Prevention
Take precaution when opening archives as self-extracting RAR files can launch the contained files.
Suspicious file found in %Temp% folder and %localappdata%\Java\bin\jdk1.8.0_73
TrojanDropper:Win32/PhantomStar.A!dha is the detection for the self-extracting RAR file which is placed on the target device and launches Trojan:Win32/PhantomStar.A!dha or Trojan:Win32/Autophyte.A!dha. This malware has been linked with Diamond Sleet and is used to gain initial access to a target's network.