Keypoints
- Rhysida first appeared in early 2023 and has continually evolved its tactics.
- Initial access is achieved via typosquatted domains and SEO poisoning that redirect victims to payload servers.
- CleanUpLoader is delivered as fake installers (e.g., installers for Microsoft Teams or Google Chrome) and acts as a backdoor for persistence and exfiltration.
- CleanUpLoader includes multiple built-in C2 domains and communicates with them over HTTPS for redundancy.
- Recorded Future’s Network Intelligence can identify Rhysida victims on average 30 days before they appear on extortion sites.
- Primary targets include healthcare, education, and government organizations, affecting both Windows and Linux systems.
- Recommended defenses include advanced detection rules, network intelligence monitoring, user training, patch management, and secure backups.
MITRE Techniques
- [T1071] Application Layer Protocol – Used for command-and-control communications over HTTPS and cited for initial-access redirection; ‘Communicates with multiple C2 servers via HTTPS for redundancy.’ ‘Utilizes typosquatted domains to trick users into downloading malicious files.’
- [T1203] Exploitation for Client Execution – CleanUpLoader is delivered disguised as legitimate installers to execute on victims’ machines; ‘Delivers CleanUpLoader disguised as legitimate software installers.’
- [T1053] Scheduled Task/Job (Persistence) – CleanUpLoader establishes persistence as a backdoor to maintain access; ‘Maintains persistence through CleanUpLoader backdoor.’
- [T1041] Exfiltration Over C2 Channel – CleanUpLoader exfiltrates data prior to ransomware deployment using its C2 channels; ‘Exfiltrates data before ransomware deployment using CleanUpLoader.’
Indicators of Compromise
- [Domains] Typosquatted and C2 domains used to host payloads and provide redundancy – examples: (typosquatted domains used in campaigns), multiple CleanUpLoader C2 domains (article notes redundancy), and other C2 domains.
- [File names / Binaries] CleanUpLoader backdoor and fake installers – examples: CleanUpLoader, fake installers for Microsoft Teams and Google Chrome.
- [URLs] Research and report links referenced in the article – example: https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf, https://www.recordedfuture.com/research/outmaneuvering-rhysida-advanced-threat-intelligence-shields-critical-infrastructure-ransomware
Rhysida’s technical infection chain begins with SEO-poisoned, typosquatted domains that rank in search results and redirect victims to malicious payload servers. Those servers host CleanUpLoader, which is bundled and presented as legitimate software installers (for example, installers mimicking Microsoft Teams or Google Chrome) to increase the likelihood of user execution.
Once executed, CleanUpLoader establishes persistence on the endpoint and creates an HTTPS-based command-and-control channel with multiple hardcoded C2 domains for redundancy. The backdoor is used to harvest and exfiltrate data prior to any ransomware deployment, maintain long-term access across Windows and Linux environments, and sustain operations if one C2 node is disrupted.
Detection and response should focus on search- and web-traffic analytics (to spot SEO-poisoned redirects and typosquatted domains), execution and installer integrity checks (to identify unsigned or suspicious installers impersonating popular apps), and network monitoring for anomalous HTTPS C2 flows. Implementing detection rules for early IOCs, leveraging threat intelligence feeds (such as Recorded Future) to identify infrastructure indicators, enforcing user training against fake installers, maintaining timely patching, and securing offline backups are all critical steps to interrupt Rhysida’s kill chain before encryption occurs.