Stealer malware is a type of malicious software designed to infiltrate computers and extract sensitive information.
Once installed, it communicates with a command-and-control server operated by threat actors and enables data theft like saved passwords and browser cookies.
Security experts at CheckPoint recently warned of fake copyright claims that deliver Rhadamanthys stealer malware.
A widespread phishing campaign known as “CopyRh(ight)adamantys,” is actively using spam and a weaponized malware known as “Rhadamanthys Stealer”, capable of stealing sensitive data from its victims’ computers.
Threat actors operating this campaign have changed their operational strategy, as they impersonate several legitimate companies and falsely accuse the targets of copyright infringement on their personal social media platforms like Facebook.
To execute this scheme, the threat actors set up Gmail accounts allegedly belonging to lawyers of the dummy companies, and these emails are specifically tailored for each target.
Here these emails claim the recipient has misused the company’s brand and demand the removal of certain images and videos.
Challenges that MDR can help you resolve -> Get a Free Guide
These emails contain files with instructions for installing the new version of Rhino software, which then installs the Rhadamanthys stealer malware on the infected system.
It uses advanced functionalities, like engines powered by artificial intelligence. Still, other sources could not find any AI-powered systems within the malware, claiming that it used some classical machine learning techniques commonly implemented within the OCR software applications.
Besides this, the threat actors in this campaign may be employing AI to generate large numbers of Gmail accounts to send out conceivably self-written phishing emails targeting specific local or English speakers.
However, it sometimes contains inaccuracies, like one email attempting to target an Israeli individual was mistakenly composed in Korean instead of Hebrew, with all other aspects localized to the victim’s name only.
With the need to undertake a deep analysis of this phishing campaign, Check Point Research seeks to raise awareness and support organizations in mitigating this sophisticated threat.
This threat seeks to exploit organizations and individuals in quite several regions and industries but pays particular focus to organizations operating in the “entertainment,” “media,” “technology” and “software industries.”
In this campaign, Rhadamanthys malware has exhibited an alarmingly wide reach, impacting organizations across:-
- The United States
- Europe
- The Middle East
- East Asia
- South America
The researchers’ analysis suggests that this is more likely to be the work of a threat group and not a move initiated by the nation-state actor, as the campaign’s wide scope and the use of off-the-shelf malware suggest that the threat actors are “financially motivated.”
Companies involved in copyright activities and their email addresses were reportedly used in numerous phishing schemes, making the impersonation of these companies very likely to the attackers.
The current observations at the moment are in regard to the targets that are within CheckPoint’s customer niche, but the large number of emails reported to be faked indicates this may be a small fraction of a larger operation that may have destructive implications.
It has been recommended that businesses implement comprehensive security solutions to prevent this type of evolving phishing attack by delivering thorough coverage of attack tactics and file types.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!