RHADAMANTHYS Stealer Weaponizing RAR Archive To Steal Login Credentials

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

A newly surfaced cybercampaign targeting Israeli users has thrust the sophisticated RHADAMANTHYS information stealer into the spotlight.

Originating from Russian-speaking cybercriminals and offered as a Malware-as-a-Service, RHADAMANTHYS excels at data exfiltration. 

Recent samples and in-depth analysis reveal a complex infection chain and extensive payload capabilities, highlighting the evolving threat landscape and underscoring the need for robust defenses against this potent malware. 

Phishing Email

The attack employs a social engineering tactic, using a Hebrew phishing email disguised as a legitimate notification from Calcalist and Mako.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

An email leverages urgency and fear of legal repercussions by falsely claiming copyright infringement, prompting immediate action, which manipulates user psychology to bypass security measures by exploiting time pressure and anxiety about potential legal trouble. 

RAR archive attachment

A malicious email containing a locked RAR archive was encountered. Upon extraction, a suspicious executable named “תמונות מפרות זכויות יוצרים.exe” with SHA256 hash A7DBBAD8A1CD038E5AB5B3C6B1B312774D808E4B0A2254E8039036972AC8881A was discovered. 

It measures 1,804,072 bytes, is likely malicious, and requires further analysis in a controlled environment to determine its exact functionality and potential harm. 

Upon execution, the RHADAMANTHYS malware employs anti-analysis and anti-emulation tactics to hinder detection within sandbox environments, which initiates a multi-staged infection process, leveraging the provided msimg32.dll and a larger support file to establish a foothold on the compromised system. 

RHADAMANTHYS is a sophisticated information stealer employing process injection into legitimate Windows processes to evade detection by utilizing anti-analysis techniques like virtual machine and debugger detection and time-based evasion. 

The malware persists through registry modification, exfiltrates sensitive data, including credentials, browsing history, cryptocurrency information, and system details, and communicates with its C2 server using encrypted traffic over HTTPS and a non-standard port. 

According to the researcher, it also functions as a downloader for subsequent malware payloads, posing a significant threat to compromised systems. 

The malware exhibits malicious behavior across multiple system components by aggressively conducting DNS lookups, potentially for evasive maneuvers or C2 communication. 

Network connections to 103.68.109.208 on various ports via multiple processes indicate potential command-and-control activity, which creates and manipulates files in temporary and user directories, suggesting data exfiltration and persistence mechanisms. 

The numerous registry changes made, such as autorun entries and browser tampering, intended to create persistent infections and regulate user interactions, reveal a sophisticated threat with the objectives of data theft and system takeover. 

Key APIs that make these actions possible are VirtualAllocEx (which allocates memory within the target process), CreateRemoteThread (which runs injected code), RegSetValueEx (which makes changes to the system last), and CryptEncrypt/CryptDecrypt (which could be used for encrypted communication with a command-and-control server). 

The YARA rule tries to find possible RHADAMANTHYS stealer malware by looking for certain strings, a common code pattern, and file characteristics using a mix of text and hexadecimal patterns that match the malware’s features. 

To mitigate the threat, organizations should prioritize email security through robust filtering and sandboxing, enhance user awareness with phishing training, deploy advanced endpoint protection, segment networks, regularly backup critical data, enforce patch management, restrict application execution, and implement multi-factor authentication.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide