Threat actors make use of fast-evolving multi-layer malware for their complexity and sophistication, as they offer the ability to rapidly adapt and change their code.
To make analysis and countermeasures more difficult, this sophisticated type of malware often employs the following key things:-
- Multiple layers of obfuscation
- Multiple layers encryption techniques
Cybersecurity researchers at Check Point recently discovered the Rhadamanthys, an information stealer sold on the Dark Web’s black markets and frequently updated.
The developers of this fast-evolving multi-layer malware recently released a new major version, which is “0.5.0.”
Rhadamanthys Multi-layer Malware
Rhadamanthys gained attention in a September 2022 black market ad, and it’s known for its rich features and polished design.
The seller, “King Crete,” displayed professionalism by sparking speculation about potential other authored malware.
Besides this, the development and advertising for this stealer are ongoing, with the latest version being 0.5.0 on a Tor-based site. This new version comes with a multitude of changes and interesting features.
Though it’s largely rewritten, the 32-bit Windows PE initial loader for Rhadamanthys retains artifacts from the previous version (0.4.9).
An added feature checks the executable’s name, exiting if it suggests sandbox analysis (hexadecimal characters of lengths 16, 32, 40, or 64).
Configuration and additional modules are embedded in the initial executable, unpacked during execution, and passed to subsequent stages.
A new section in initial triage: .textbss, which was initially empty (raw size = 0), was filled at runtime with shellcode, similar to previous versions, but now unpacks and loads the first module regardless of location.
The XS1-format component was exposed in the second loading stage, and the change was detected in the initial triage during the string dump attempt. The Flare FLOSS unveiled module hints through dumped strings, which the author now obfuscates.
Besides this, the Post-PE conversion and IDA analysis start function’s outline reveals a distinct and refined design.
The new release introduces TLS for temporary buffers, especially in decoding obfuscated strings. TLS is allocated in init_xs_module, TlsAlloc value is stored globally, and a custom structure is attached to TLS for buffer allocation.
The saved buffer was retrieved for multiple uses in deobfuscating data like strings. The string decryption function was passed as a callback, and the buffer was cleared after use.
Atypical use of TLS in this functionality, unclear design rationale. String deobfuscation algorithms vary at different malware stages.
Rhadamanthys modules employ raw syscalls for native API calls, evading hooking and obfuscating API names. Indirect syscalls bypass NTDLL hooks, and the author addresses the issue using a variant of the technique.
Both 32 and 64-bit modules use raw syscalls; WoW64 process syscall execution is handled with Heaven’s Gate technique. Stage 2 modules prepare and obfuscate stealers in package no. 2 from C2.
Netclient connects to C2, downloads payload in WAV format, verifies with hash, and decrypts the XS1 module using the proto module.
XS1 then loads subsequent stages, and finally, coredll.bin (XS2 format) coordinates tasks, reports to C2, and initializes built-in stealers.
Besides this, the author constantly adds features, transforming this stealer into a multipurpose bot. This indicates that Rhadamanthys aims to be a major player in the evolving malware market.