Since July 2024, an ongoing scam campaign has been using themes related to copyright infringement to deceive victims into installing an updated edition of the Rhadamanthys data thief.
The extensive campaign, named CopyRh(ight)adamantys by cybersecurity company Check Point, is being monitored as it targets regions like the United States, Europe, East Asia, and South America.
According to a technical examination by the company, “The campaign involves pretending to be numerous organizations, with each email being directed at a specific target from a distinct Gmail account, adjusting the imitated company and language based on the targeted party.” The report also reveals that most of the imitated companies belong to the Entertainment /Media and Technology/Software sectors.
A noteworthy aspect of the attacks is the usage of Rhadamanthys stealer version 0.7, which incorporates artificial intelligence for optical character recognition (OCR), as outlined by Recorded Future’s Insikt Group last month.
Highlighting an overlap with another campaign, Check Point mentioned a disclosure by Cisco Talos that last week reported targeting Facebook business and advertising account users in Taiwan to spread Lumma or Rhadamanthys malware.
The attack tactics involve spear-phishing through emails that allege copyright violations by masquerading as prominent companies.
These fraudulent emails are sent from Gmail accounts posing as legal representatives of the imitated companies. The contents of the messages accuse the recipients of using their brand wrongly on social media platforms and ask them to remove the specific images and videos.
Discussing the campaign, Check Point mentioned, “Instructions for removal are claimed to be inside a protected file. Nevertheless, the attached file is actually a download link to appspot.com associated with the Gmail account, which redirects the user to Dropbox or Discord to download a password-protected archive (with the password given in the email).”
The RAR file comprises three elements: a valid executable vulnerable to DLL side-loading, a malicious DLL housing the stealer payload, and a deceptive document. Once the binary is executed, it loads the DLL file, opening the path for the deployment of Rhadamanthys.
Check Point, attributing the campaign to a likely cybercrime entity, suggested that the threat actors may have utilized AI tools considering the campaign’s extent and variety of lures and sender emails.
Describing the scenario, Check Point stated, “The campaign’s broad and non-selective targeting of organizations across various regions hints that it may have been orchestrated by a financially driven cybercrime group instead of a nation-state entity.” The statement added, “The extensive reach, automated phishing strategies, and diversified lures showcase how attackers continually adapt to enhance their efficacy.”
Recent SteelFox Malware Exploits Weak Driver
Recent revelations by Kaspersky have brought to light a new “all-inclusive crimeware set” known as SteelFox, which spreads through forums, torrent platforms, and blogs, disguising itself as legitimate tools like Foxit PDF Editor, JetBrains, and AutoCAD.
The campaign, active since February 2023, has impacted victims globally, focusing on countries such as Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka, with no known attribution to any specific threat entity or group.
Kaspersky’s security researcher Kirill Korchemny elaborated, “Propagated using complex execution mechanisms that involve shellcoding, this threat misuses Windows services and drivers, deploying stealer malware to siphon the victim’s credit card information and device details.”
The process commences with an imposter app that poses as cracked variants of popular software, requesting administrative privileges upon execution. It then drops a subsequent loader that establishes persistence and initiates the execution of the SteelFox DLL.
The obtained administrative access is then misused to set up a service that runs an outdated version of WinRing0.sys, a Windows hardware access library vulnerable to security flaws like CVE-2020-14979 and CVE-2021-41285, thus granting the threat actor NTSYSTEM privileges.
Discussing this, Korchemny added, “This driver is also part of the XMRig miner and is utilized for mining operations. After setting up the driver, the sample triggers the miner, which is an altered version of XMRig with redundant code segments. It establishes a link with a mining pool using hardcoded credentials.”
The miner is downloaded from a GitHub repository, with the malware also contacting a remote server via TLS version 1.3 to extract sensitive information from web browsers, including cookies, credit card details, browsing history, locations visited, system statistics, installed software, timezone, and more.
“By incorporating modern C++ and external libraries, this malware showcases advanced capabilities,” highlighted Kaspersky. “The use of TLSv1.3 and SSL pinning ensures secure data gathering and communication.”
About Author
