Rhadamanthys information stealer introduces AI-driven capabilities
October 02, 2024
The Rhadamanthys information stealer has been upgraded with advanced features, including the use of artificial intelligence (AI) for optical character recognition (OCR).
Researchers at the Recorded Future’s Insikt group have documented the evolution of the Rhadamanthys info stealer. The malware was first identified in 2022, and since then it has been upgraded with advanced features, the latest version 0.7.0 introduces AI-driven capabilities for extracting cryptocurrency seed phrases from images.
The infostealer can steal credentials, system information, and financial data from infected systems, it supports sophisticated evasion techniques, including MSI installer disguise. Threat actors offer the malware for sale on underground forums, however, they ban customers from targeting specific regions.
The latest version of the Rhadamanthys information stealer uses artificial intelligence (AI) for optical character recognition (OCR) to support “Seed Phrase Image Recognition.”
“This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in cryptocurrencies.” reads the report published by Recorded Future’s Insikt Group. “The malware can recognize seed phrase images on the client side and send them back to the command-and-control (C2) server for further exploitation.”
The malware is developed by a threat actor known as “kingcrete2022ˮ that advertises the info stealer on multiple hacking forums, including XSS, Exploit, Best Dark, Opencard, and Center-Club. The malware allows operators to harvest a broad range of information, including system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data stored in various applications.
The subscription fee is $250 per month, or $550 for 90 days.
Version 0.6.0 was released in February 2024, while latest version 0.7.0 of Rhadamanthys was released in June 2024.
“Version0.7.0, the most recent version, includes a complete rewrite of both client-side and server-side frameworks, improving the program’s execution stability. Additionally, 30 wallet-cracking algorithms, AI-powered graphics, and PDF recognition for phrase extraction were added. The text extraction capability was enhanced to identify multiple saved phrases.” reads the report. “Bugs and issues from the previous version were resolved. The Telegram module was rewritten to support HTML formatting and multi-token polling, while the synchronization module now includes file transfer protocol (FTP) support for remote log transfers. The search filter module has been rewritten, and an application programming interface (API) interface with an open platform has been introduced.”
The Rhadamanthys malware infection chain remains unchanged across the various versions. The three stages composing the attack chain:
- Stage 1, the second stage shellcode is unpacked and loaded.
- In Stage 2, system preparations like process injection and evasion checks occur, while communication with the C2 server is established, and CoreDLL (Stage 3) is loaded.
- In Stage 3, stealers and additional modules, including image/OCR processing, are executed, and the collected data is sent back to the C2 server.
Rhadamanthys uses mutex objects to ensure only one instance runs on an infected host at a time, utilizing specific bytes for mutex creation.
“Knowing the mutex values and that Rhadamanthys will terminate if they are present enables the creation of a killswitch/vaccine.” continues the report.
Rhadamanthys has enhanced its functionality by implementing additional plugins, starting from version 0.5.0 and expanding in subsequent updates. The experts identify four main plugins, a Keylogger, DataSpyer, Clipper, and Reversed Proxy. In version 0.5.0, these plugins were implemented as .NET assemblies, loaded through the loader.dll file responsible for managing .NET assemblies. However, with the release of version 0.7.0, the plugin system was updated. The plugins are now packaged in ZIP files containing two components: classes.dex and manifest.json, which resemble the structure of an Android Package Kit (APK), although they are not actual APKs.
The report includes Tactics,Techniques,and Procedures (TTPs) associated with this threat.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Zimbra)