Rhadamanthys, a sophisticated information-stealing malware active since 2022, has drawn renewed attention from security researchers who recently published an in-depth analysis of its native loader component.
The loader’s significance lies not in its capabilities but in the advanced obfuscation and evasion techniques it employs to evade detection by security tools and analysis environments.
The Rhadamanthys loader implements a complex obfuscation strategy combining three distinct techniques that work in concert to defeat static analysis.
Security researchers identified jump target obfuscation, control flow flattening, and constant obfuscation as the primary defensive mechanisms.
Jump target obfuscation conceals destination addresses through memory loads combined with key register additions, making it impossible for disassemblers to determine code execution paths.
Control flow flattening (CFF) removes direct relationships between code blocks by implementing a dispatcher mechanism that uses a state variable to determine which block executes next essentially creating a massive switch statement with high-entropy numerical cases.
The constant obfuscation layer obscures all program constants by storing them in memory locations and retrieving them through load operations combined with additions.
This prevents decompilers from performing standard optimizations that would reveal the actual values, as memory operands resist automatic constant folding.
Sophisticated Anti-Sandbox Detection
Check Point Research documented extensive environment checks performed by the loader’s “Strategy” module before establishing command-and-control communication.
The malware examines multiple system characteristics to identify sandboxed or virtualized environments.
The jump deobfuscation logic can be found in deob_jumps.py, with some utility code for instruction shifting and rewriting being in deob_util.py.
The loader retrieves the current desktop wallpaper and calculates its SHA1 hash, comparing it against the hardcoded value 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d that represents the default Triage sandbox wallpaper.
It searches for standard sandbox test files including “foobar.jpg,” “foobar.mp3,” “foobar.txt,” “foobar.wri,” and “waller.dat”.
Username enumeration targets sandbox-typical accounts such as “JohnDeo,” “HAL9TH,” “JOHN,” “JOHN-PC,” “MUELLER-PC,” “george,” and “DESKTOP-B0T.”
The malware also checks for dummy credential files like “keys.txt” and “passwords.txt,” comparing their content hashes to detect replicated sandbox artifacts.
Rhadamanthys employs UUID version 1 generation through the UuidCreateSequential API to stealthily extract MAC addresses from network interfaces.
The 48-bit Node identifier in UUIDv1 contains the hardware MAC address, which the malware compares against an extensive blocklist of known virtual network adapters.
Additionally, the loader queries Hardware IDs using Windows Management Instrumentation with the WQL statement SELECT UUID FROM [Win32_ComputerSystemProduct] and validates results against a comprehensive list of known sandbox identifiers.
These hardware ID blocklists show overlap with identifiers used by other information stealers, including Skuld and Bandit Stealer.
The loader implements a sophisticated behavioral analysis evasion mechanism based on timer callbacks rather than direct execution.
Upon window creation, the malware establishes Timer ID 2, which collects cursor position, foreground window information, and timestamps every 30 milliseconds for 1,500 iterations, creating a mandatory 45-second delay before payload execution.
The collected telemetry undergoes validation checks requiring cursor position changes at least 30 times and the presence of at least two different foreground windows, with one not belonging to the desktop process.
If these conditions fail, the loader initiates another 45-second observation period with enhanced checks including Euclidean distance calculations between cursor positions to detect simulated rather than genuine user interaction.
This approach specifically targets AV emulators and automated analysis systems that may simulate mouse movement at regular intervals without the fluid, natural patterns characteristic of human behavior.
However, advanced sandboxes like CAPE and VMRay successfully pass these validation checks.
Custom Binary Encoding Scheme
The payload encoding employs a proprietary binary-to-string algorithm that the developers attempted to keep concealed, referred to as “Flutter” in .NET loader variants.
The encoding scheme maps character ranges to numeric output values, with uppercase A-Z mapping to 0-25, lowercase a-z to 26-51, and digits 0-9 to 52-61.
Special characters and multi-character combinations extend the encoding space, with prefix characters modifying output ranges.
The space character combined with A-Z or a-z produces values 91-142, while period prefixes combined with alphanumeric characters yield 143-204.
Underscore prefixes generate the highest ranges, with underscore plus uppercase producing 205-230 and underscore plus lowercase generating 231-255.
Beyond this custom encoding, the payload receives additional encryption using SM4, a Chinese block cipher.
The algorithm’s required components including S-Box, FK, and CK tables are themselves obfuscated within the loader and only loaded into memory temporarily during decryption operations.
Recent versions of Rhadamanthys transitioned from sophisticated steganography to a more direct approach for payload delivery.
Earlier versions concealed encrypted payloads within legitimate-appearing WAV audio files or JPEG images, while version 0.9.2 switched to PNG format with a significantly simplified implementation.
The current PNG-based approach abandons the facade of legitimate media files, instead directly storing payload data as pixel values following a specific structure containing encryption keys, size information, hash verification data, and the actual payload.
This produces visibly noisy images but maintains functional effectiveness while simplifying the extraction process.
Configuration and Mutex Updates
Version 0.9 introduced significant changes to configuration structure and mutex generation to defeat existing detection and prevention tools.
The configuration format now uses a 0xBEEF DWORD marker instead of the historical 0x59485221 (!RHY) identifier, with the structure requiring LZO decompression after initial decryption.
Mutex generation now incorporates a 16-byte seed value from the configuration, hashed together with the magic value XRHY.
The resulting hash generates mutex names following GUID-like format strings such as GlobalMSCTF.Asm.{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, making universal vaccination approaches ineffective.
The bot identification system ties each infection to two unique system identifiers: the MachineGuid from HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography and the Volume Serial Number retrieved via GetVolumeInformationW.
These values are hashed together using SHA1 and represented as hexadecimal strings, enabling attackers to blacklist specific systems more effectively.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.