RHADAMANTHYS Weaponizes RAR Archives to Steal Your Logins

Rhadamanthys, a sophisticated information stealer, emerged in late 2023 as a Malware-as-a-Service (MaaS) offering on exclusive cybercrime forums. 

The malware harvests sensitive data from infected systems, such as credentials, cookies, and personal information, and is most likely the work of Russian-speaking threat actors.

Its name alludes to the mythological judge of the underworld, reflecting its comprehensive data collection capabilities. The attack employs a Hebrew phishing email masquerading as a legal notice from prominent Israeli news outlets, Calcalist and Mako. 

The email leverages social engineering by creating a sense of urgency through a copyright infringement claim and a 24-hour deadline, exploiting fear and time pressure to induce victims to bypass security protocols and open a malicious attachment disguised as legal documentation. 

Phishing Email

A malicious email attachment, disguised as a locked RAR archive, contains three components: a potentially malicious executable named “תמונות מפרות זכויות יוצרים.exe” with SHA256 hash A7DBBAD8A1CD038E5AB5B3C6B1B312774D808E4B0A2254E8039036972AC8881A, a DLL file “msimg32.dll” with SHA256 hash 48AAA2DEC95537CDF9FC471DBCBB4FF726BE4A0647DBDF6300FA61858C2B0099, and a large support file with SHA256 hash f3291a98446b3a24a7ccd4b44bc05bfd48502179835fe3429f81d211579f5a4b. 

RAR archive attachment

RHADAMANTHYS is a sophisticated information stealer employing anti-analysis tactics for evasive execution by injecting malicious code into legitimate processes, persisting through registry modification, and exfiltrating sensitive data, including credentials, browsing history, cryptocurrency information, and system details, to a C2 server via encrypted channels. 

The malware exhibits malicious behavior through excessive DNS lookups, indicative of potential evasion tactics and C2 communication. Network analysis reveals suspicious connections to IP address 103.68.109.208 on multiple ports via OpenWith.exe, OOBE-Maintenance.exe, and dllhost.exe. 

It also creates numerous temporary files, drops components like “FirefoxData.dll,” and aggressively reads user directories, strongly suggesting data exfiltration and persistence mechanisms. 

The malicious actor extensively modifies the HKEY_CURRENT_USER registry hive, establishing persistence through autorun entries as browser configuration is altered via registry tampering. 

To evade detection, the threat actor injects code into legitimate processes and spawns child processes, leveraging Living-Off-the-Land Binaries like cmd.exe for covert operations. 

VirtualAllocEx allocates remote process memory for code injection. CreateRemoteThread executes this injected code, enabling malicious activity. RegSetValueEx manipulates registry settings for persistence, ensuring the threat’s survival across system restarts. 

CryptEncrypt and CryptDecrypt functions are commonly used for encrypting and decrypting communication data, potentially indicating Command and Control (C2) interactions with a remote server. 

RHADAMANTHYS underscores a maturing cyber threat landscape where malicious actors leverage sophisticated Malware-as-a-Service platforms to craft highly targeted attacks, exemplified by the region-specific phishing campaigns against Israeli users. 

These attacks extend beyond credential theft, aiming for comprehensive data exfiltration. To mitigate risks, organizations must fortify email security with advanced filtering and sandboxing, bolster endpoint protection with EDR and XDR tools, enforce network segmentation, and prioritize regular patching and backups. 

According to the researcher, mandatory multi-factor authentication and application whitelisting are crucial to contain lateral movement and protect critical systems.

RHADAMANTHYS is a sophisticated information stealer employing multi-stage infection, anti-analysis techniques, and extensive data exfiltration capabilities, posing a significant threat to Israeli users. 

Its targeted nature raises concerns about potential geopolitical motivations beyond financial gain, as proactive defense strategies are imperative to counter this evolving malware and its associated risks. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here