Cyble Research and Intelligence Labs detailed an information-stealing malware named Rhadamanthys that accesses several browsers and crypto wallets. It is spread on target systems via emails with downloads for apps including zoom.
However, it performs its malicious activities only if it detects the machine is not running in a controlled environment.
Rhadamanthys stealer C&C panel (Source: Cyble)
The Rhadamanthys stealer attack is initiated on Google Ads that take targets to phishing emails or phishing websites via redirects. The fake websites look legitimate and are of the following sites:
- Zoom
- AnyDesk
- Notepad++
- Bluestacks
The attacks using phishing emails, on the other hand, are sent with a PDF attachment titled Statement.pdf. The email body contains text that talks about the recent activity of the user and shows a link that they must click to verify what the email asks. It also asks for an ‘immediate response’ in most emails to force the user to use the malicious link that would initiate the Rhadamanthys stealer attack.
When an unsuspecting user downloads the attachment, it brings in the malware from a link such as https[:]\zolotayavitrina[.]com/Jan-statement[.]exe as found by researchers from Cyble. The download is stored in the downloads folder.
Following this, a set of malicious downloads begins. An installer gets downloaded which also looks legitimate on the screen. The stealer malware gets downloaded.
The installer file gets executed which creates a folder called ST and saves it in the %temp% location. It drops two hidden binary executable files including Initialize 4.exe. The other loader is Runtime Broker.exe with SHA256: db66fc58c07ba0ccbe1b9c2db770179d0d931e5bf73838da9c915581661d4c1a. It is a 32-bit PyInstaller executable.
Runtime Broker.exe saves several Python-supporting files in the %temp% folder extracted from the PyInstaller executable including:
Raw obfuscated data is found in the Binary_Stub_Replacer.pyc which gets de-obfuscated by replace function and is converted into Binary and ASCII format.
Python content of Binary_Stub_Replacer.pyc (Source: Cyble)
Following this, the second stage malicious python code is retrieved which has an embedded base64-encoded content of the shellcode. After executing the python code, the base64-encoded stub creates a new portable executable (PE) payload file.
This file gets injected into another Runtime Broker.exe process with the CreateThread() API function. The shellcode is a 32-bit executable file created using Microsoft visual C/C++ compiler.
Payload file (Source: Cyble)
Criteria for Rhadamanthys stealer to run in the machine.
- The shellcode generates a mutex object to check if it has more copies of the malware in the infected device. It makes sure that there is only one at any time.
- To evade detection, the malware looks for the presence of a virtual environment and a controlled environment. If it results in a positive, it ceases its execution.
- It looks for strings associated with virtual machine environments to find if it is running on a virtual machine like VMware and VirtualBox.
AntiVM related strings (Source: Cyble)
When all the criteria are met, the shellcode drops a DLL file called nsis_unsibcfb0.dll in saves it in the %temp% folder. It gets launched using rundll32.exe which contains the code of the Rhadamanthys stealer. Researchers found traces leading to show that the developers used a steganography image that was downloaded from a remote server. It is suspected that the shellcode decrypted the steganography image to get the Rhadamanthys stealer payload.
Stealing activities of the Rhadamanthys stealer
At this stage, Rhadamanthys stealers activities kick in with it collecting system data including:
- Name of the computer
- Username
- RAM data
- CPU data
- OS version
- HWID
- Time zone of the system
- The set user and keyboard language
The data is collected by running a series of Windows management instrumentation (WMI) queries. After this, the browser directories are searched for accessing data from:
- Login data
- History
- Bookmarks
- Auto-fills
- Cookies
The malware has access to the following browsers:
- Brave
- Chrome
- CocCoc
- Edge
- Firefox
- Opera Software
- Pale Moon
- Sleipnir5
Although the Rhadamanthys stealer can steal data from several crypto wallets, it had specific functionality to access the following:
- Armory
- Binance
- Bitcoin
- Bytecoin
- Electron
- Qtum-Electrum
- Solar wallet
- WalletWasabi
- Zap
- Zecwallet Lite
- Zcash
The following image shows the crypto wallet browser extensions:
(Source: Cyble)
Rhadamanthys stealer is capable of taking screenshots of the system data using the BitBlt() API function. It can steal from the following applications:
- FTP clients including CoreFTP and WinSCP
- Emails including GmailNotifierPro, Outlook, Foxmail, Thunderbird, and TrulyMail
- File managers including Total commanders
- Password managers including RoboForm and KeePass
- VPN including NordVPN, OpenVPN, ProtonVPN, and Windscribe VPN
- Messaging apps including Telegram, Discord, and Tox
Technical details of the Rhadamanthys stealer
Researchers found the following phishing domains:
- bluestacks-install[.]com
- zoomus-install[.]com
- install-zoom[.]com
- install-anydesk[.]com
- install-anydeslk[.]com
- zoom-meetings-install[.]com
- zoom-meetings-download[.]com
- anydleslk-download[.]com
- zoomvideo-install[.]com
- zoom-video-install[.]com
- istaller-zoom[.]com
- hasankahrimanoglu[.]com[.]tr
To defend against the presently active Rhadamanthys stealer and several similar malware that are sold under the Malware as a Service (MaaS) model, researchers ask users to install security products that detect phishing emails and websites. It is critical that pirated software from sources including Warez/ Torrent is avoided.
Cyble also noted that the ‘Hack Tool’ on sites such as YouTube contains malware. They maintained that data exfiltration can be blocked by monitoring the beacon on the network level.