Threat Research

RHADAMANTHYS: A Comprehensive Examination of an Advanced Stealer Targeting Israeli Users

Securonix

RHADAMANTHYS is a sophisticated information stealer targeting Israeli users via social engineering and phishing, utilizing a multi-stage infection chain, anti-analysis tricks, and extensive data exfiltration. The campaign, attributed to Russian-speaking actors and offered as MaaS, emphasizes encrypted C2 communications and targeted data theft. #RHADAMANTHYS #MaaS #Calcalist #Mako #Israel

Keypoints

  • Origin: RHADAMANTHYS is believed to be developed by Russian-speaking threat actors and offered as Malware-as-a-Service (MaaS).
  • Attack Vector: Utilizes social engineering tactics, including phishing emails with urgent legal threats.
  • Malicious Components: Involves a Locked RAR archive containing a malicious executable and DLL files.
  • Infection Process: Features a multi-stage infection process with anti-analysis techniques to evade detection.
  • Data Exfiltration: Targets passwords, cryptocurrency data, and system information.
  • Command & Control: Communicates with a primary C2 server using encrypted channels.
  • Mitigation Strategies: Email security, user awareness training, and endpoint protection are recommended.

MITRE Techniques

  • [T1055] Process Injection – RHADAMANTHYS injects its malicious code into legitimate Windows processes. “RHADAMANTHYS injects its malicious code into legitimate Windows processes.”
  • [T1060] Registry Run Keys / Startup Folder – Modifies registry entries for persistence, ensuring the malware runs at startup. “Registry Modification: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun*ChromeUpdate Value: “rundll32.exe C:UsersadminDocumentsFirefoxData.dll,EntryPoint””
  • [T1213] Data from Information Repositories – Targets sensitive information from web browsers, cryptocurrency wallets, and system files. “Targets sensitive information from web browsers, cryptocurrency wallets, and system files.”
  • [T1071] Command and Control – Uses encrypted communications to evade network detection for C2 communication. “Uses encrypted communications to evade network detection for C2 communication.”
  • [T1003] Credential Dumping – Captures keystrokes and extracts saved passwords from browsers. “Captures keystrokes and extracts saved passwords from browsers.”

Indicators of Compromise

  • [IP] C2 address – 103.68.109.208; associated with multiple components (OpenWith.exe, OOBE-Maintenance.exe, dllhost.exe) and used for C2 communications
  • [Port] C2 ports – 443, 1630 – used for encrypted C2 communications
  • [Hash] A7DBBAD8A1CD038E5AB5B3C6B1B312774D808E4B0A2254E8039036972AC8881A – Malicious Executable (תמונות מפרות זכויות יוצרים.exe)
  • [Hash] 48AAA2DEC95537CDF9FC471DBCBB4FF726BE4A0647DBDF6300FA61858C2B0099 – DLL file (msimg32.dll)
  • [Hash] f3291a98446b3a24a7ccd4b44bc05bfd48502179835fe3429f81d211579f5a4b – Support file
  • [File] תמונות מפרות זכויות יוצרים.exe – Malicious Executable
  • [File] msimg32.dll – DLL file dropped by the malware
  • [File] FirefoxData.dll – Dropped component
  • [File] RAR archive attachment – Locked archive containing malicious components

Read more: https://maordayanofficial.medium.com/rhadamanthys-an-in-depth-analysis-of-a-sophisticated-stealer-targeting-israeli-users-330fbfd68f3b

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint