Threat Research

Rhadamanthys: The “Everything Bagel” Infostealer – Check Point Research

Securonix

Rhadamanthys is a feature-rich infostealer that debuted on the dark web and has drawn attention for its expansive, “everything on a bagel” design. The Check Point Research analysis covers its multi-stage loader, forensic methods to resolve in-memory API calls, and the broad data theft capabilities that can impact large organizations through incidental drive-by infections. #Rhadamanthys #KingCrete #CanadaGovernmentAgency #IndiaInfrastructure #GoogleChrome

Keypoints

  • Rhadamanthys is an advanced infostealer that debuted on the dark web in September and was well received by cybercriminals.
  • Its feature set is maximalist, designed to steal a wide range of data from browsers, wallets, password managers, VPNs, and more.
  • Campaigns target countries indiscriminately (excluding CIS) with drive-by and deceptive distribution, including samples masquerading as legitimate software (e.g., OBS Studio).
  • The malware uses a multi-stage loader and suspended-process injection, including VM evasions and function unhooking to evade detection.
  • Researchers developed a forensics technique to resolve API calls from orphaned memory dumps, enabling interactive disassembly of the malware’s logic.
  • Chrome data theft is a highlighted capability, with the malware locating Chrome directories, reading Cookies/Login Data, and parsing JSON/SQL to exfiltrate credentials.
  • Crypto-wallet theft is heavily emphasized, with a long list of supported wallets and enhancements in newer versions.
  • Incidents show telemetry of inadvertent large-target infections, including a Canadian government agency and an Indian energy infrastructure entity.

MITRE Techniques

  • [T1189] Drive-by Compromise – Drive-by infections spread Rhadamanthys; ‘one campaign disseminated samples under the guise of video editing software, such as OBS studio, pushed to the crowd of unsuspecting streamers via Google ads.’
  • [T1036] Masquerading – Disguises distribution as legitimate software; ‘disseminated samples under the guise of video editing software, such as OBS studio…’
  • [T1059.001] PowerShell – Uses crafted PowerShell scripts on victims; ‘hand-crafted powershell to be executed on the victim machine.’
  • [T1055] Process Injection – Injects code into a suspended process; ‘creates a suspended process from C:WindowsMicrosoft.NetFrameworkv4.0.30319AppLaunch.exe then replaces the suspended process’ sections one-by-one with injected malicious code.’
  • [T1012] Query Registry – Interacts with Windows registry; ‘takes a registry key as an argument’ (observed in RegQueryValueExW usage, via advapi32.dll).
  • [T1083] File and Directory Discovery – Locates data directories and files; ‘Searching for the correct directory containing all the data’ and locating Chrome data under %LOCALAPPDATA%GoogleChromeUser Datadefault
  • [T1041] Exfiltration Over C2 Channel – Data is exfiltrated to C2; ‘exfiltrate all files matching a Windows search query’ and later ‘reported back to the attacker.’
  • [T1497] Virtualization/Sandbox Evasion – VM evasions drawn from the Al-Khaser project; ‘VM evasions taken from the Al-Khaser project.’
  • [T1555.001] Credentials in Password Stores – Steals credentials from password managers and 2FA apps (RoboForm, RinAuth, Authy, KeePass); ‘steals credentials from 2FA applications and password managers RoboForm, RinAuth, Authy and KeePass.’
  • [T1113] Screen Capture – Data theft includes screenshots as part of system information; ‘screenshots’ are among the stolen data.

Indicators of Compromise

  • [File] Chrome data directory and related files – %LOCALAPPDATA%GoogleChromeUser Datadefault, Cookies, Login Data – used to locate and extract Chrome credentials
  • [File] Chrome-related data files – Cookies, Login Data – targeted artifacts for credential extraction
  • [DLL] Common Windows DLLs used during analysis – advapi32.dll, user32.dll, msvcrt.dll – resolved during memory-dump analysis
  • [Executable] AppLaunch.exe – used by the loader to create a suspended process for injection
  • [DLL] kernel32.dll – involved in memory-resident analysis and function resolution
  • [Other] Exfiltrated data artifacts – environment variables and files exfiltrated via the file grab module (Figure 8 and Figure 9 references in the article)
  • [Wallets] Crypto wallet names observed in the data theft scope – Auvitas, Metamask, Jaxx (examples of targeted wallets)

Read more: https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint