Threat Research

One year later, Rhadamanthys is still dropped via malvertising | Malwarebytes

Malwarebytes

Malvertising campaigns continue to deliver Rhadamanthys and other payloads by impersonating popular software in sponsored search results and redirecting victims to decoy download pages. The attack flow uses redirect chains, JavaScript VM checks, a signed-but-invalid Windows dropper that fetches a Rhadamanthys URL from a TextBin paste (viewed ~8.5K times), and a final infostealer that contacts C2 and exfiltrates credentials. #Rhadamanthys #Notion #NetSupportRAT #AtomicStealer

Keypoints

  • Rhadamanthys is distributed via malvertising and malspam, often targeting searches for popular software (e.g., Notion).
  • Sponsored search ads impersonate official sites/logos and rely on redirect chains and URL shorteners to cloak traffic.
  • Browser-side JavaScript performs virtual machine/sandbox detection before showing the decoy landing page.
  • The landing page offers platform-specific downloads: a Mac Notion.dmg (Atomic Stealer variant) and a Windows dropper with an invalid digital signature.
  • The Windows dropper retrieves a Rhadamanthys payload URL from a TextBin paste (the paste showed ~8.5K accesses) and downloads the stealer.
  • Rhadamanthys harvests credentials from applications (e.g., PuTTY, WinSCP, mail programs) and communicates with a remote C2 to send/receive data.

MITRE Techniques

  • [T1204.002] Malicious Link – Initial infection vector is a deceptive sponsored search ad that lures users to click. (‘Google searches for popular software such as Notion return malicious ads.’)
  • [T1090] Proxy/Redirection – Attackers use URL shorteners and redirectors to cloak the ad click and chain through attacker-controlled domains. (‘the threat actor uses a number of redirects to evade detection.’)
  • [T1497.001] Virtualization/Sandbox Evasion – JavaScript in the browser checks for virtual machines before displaying the landing page. (‘There is one more check within the browser via JavaScript to detect virtual machines before the actual landing page is displayed to the victim.’)
  • [T1105] Ingress Tool Transfer – The dropper downloads the follow-up Rhadamanthys payload from a URL hosted on a paste site. (‘This dropper contacts the paste site TextBin where it retrieves a URL for the followup payload’)
  • [T1553.002] Code Signing – The Windows binary is signed but the digital signature is invalid or fake, used to reduce suspicion. (‘The Windows binary is a signed file but its digital signature is not valid.’)
  • [T1555] Credentials from Password Stores – Rhadamanthys targets and extracts stored credentials from applications such as PuTTY, WinSCP, and mail programs. (‘Rhadamanthys attempts to steal credentials stored in applications such as PuTTY, WinSCP and mail programs’)
  • [T1071.001] Application Layer Protocol (Web) – The stealer reports to a command-and-control server and exchanges data over web protocols. (‘Upon execution, Rhadamanthys reports to its command and control server, sends and receives data.’)

Indicators of Compromise

  • [Domains] Malvertising chain and payload hosting – pantovawy.page[.]link, yogapets[.]xyz, and 4 more domains (cerisico[.]net, notione.my-apk[.]com, alternativebehavioralconcepts[.]org, birdarid[.]org).
  • [IP Addresses] Hosting and C2 – 185[.]172[.]128[.]169 (dropper host), 185[.]172[.]128[.]170 (Rhadamanthys C2).
  • [File Hashes] Dropper and payload hashes – dropper: 6f4a0cc0fa22b66f75f5798d3b259d470beb776d79de2264c2affc0b5fa924a2; Rhadamanthys: e179a9e5d75d56140d11cbd29d92d8137b0a73f964dd3cfd46564ada572a3109 (and 1 more hash).
  • [File Names] Delivered artifacts – Notion.dmg (Mac Atomic Stealer variant), @abcmse1.exe / @abcnp.exe (Windows payload paths).
  • [Digital Certificate] Code-signing context – Windows binary presents an invalid/fake signature claiming the PuTTY inventor as signer.

Malvertising campaigns impersonate trusted software brands in sponsored search results and use URL shorteners and attacker-controlled redirectors to route victims through multiple hops before landing on a decoy download page. Browser-side JavaScript performs virtual-machine/sandbox checks to avoid analysis, and the final landing page mimics the legitimate site while presenting platform-specific download buttons (Mac: Notion.dmg, Windows: installer executable).

The Windows installer is a dropper (signed with an invalid certificate) that, upon execution, contacts a TextBin paste to retrieve a URL for the Rhadamanthys payload (the unlisted paste showed ~8.5K accesses). The dropper then downloads the follow-up executable from attacker-controlled hosts (examples: yogapets[.]xyz/@abcmse1.exe, birdarid[.]org/@abcnp.exe) and executes the stealer.

Once active, Rhadamanthys harvests credentials from installed applications (notably PuTTY, WinSCP, and mail clients), establishes communication with its command-and-control server (observed C2 185[.]172[.]128[.]170), and exfiltrates collected data. Detection and analysis should focus on the redirect chains, TextBin retrieval activity, the listed hashes, and C2 traffic to identify and contain infections.

Read more: https://www.malwarebytes.com/blog/threat-intelligence/2024/02/one-year-later-rhadamanthys-is-still-dropped-via-malvertising

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint