The infostealer malware Rhadamanthys has been identified as a significant threat, particularly targeting cryptocurrency wallets through various distribution methods, including Google Ads and phishing emails. Its advanced anti-analysis techniques make it challenging for traditional security measures to dissect. Notably, the downloader component heavily utilizes the Quake 3 VM for obfuscation, highlighting an evolution in malware capabilities. Affected: cryptocurrency wallets, software distribution platforms, phishing victims.
Keypoints :
- The Rhadamanthys malware emerged in late 2022, focusing on cryptocurrency wallets.
- Distribution methods include fake software websites and phishing emails.
- It incorporates advanced anti-analysis techniques and heavy code obfuscation, making detection difficult.
- The downloader component is primarily coded in C++ and uses a variety of VM obfuscation methods.
- Rhadamanthys employs modifications to the Quake 3 VM, enhancing its capabilities for evading analysis.
- Investigations revealed the malware uses custom file formats linked to the crypto miner Hidden Bee.
- Recent updates to the malware include new anti-VM techniques and modifications to syscall operations.
- Rhadamanthys has shown a tendency to adapt quickly with ongoing updates despite a decline in activity.
MITRE Techniques :
- T1060 – Registry Run Keys / Startup Folder: Rhadamanthys uses modifications to syscall operations that may allow persistence through native function calls.
- T1064 – Scripting: Utilizes embedded code to execute arbitrary commands based on parameters passed into the VM.
- T1203 – Exploitation for Client Execution: Phishing emails and fake software websites are used to lure victims into executing the malware.
- T1083 – File and Directory Discovery: Employs VM functionality to read and manipulate file structures on the victim’s machine.
- T1055 – Process Injection: Rhadamanthys leverages VirtualProtect for manipulating execution contexts of the loaded code.
Indicator of Compromise :
- [SHA-256] 0843a128cf164e945e6b99bda50a7bdb2a57b82b65965190f8d3620d4a8cfa2c
- [SHA-256] e915dccc9e65da534932476e8cec4b7e5446dbd022f242e9302ac18d2a041df5
- [SHA-256] 9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae
- [SHA-256] dd4bb5e843a65e4e5a38032d12f19984daad051389853179bd8fdb673db82daf
- [SHA-256] 4b350ae0b85aa7f7818e37e3f02397cd3667af8d62eb3132fb3297bd96a0abe2
Full Story: https://outpost24.com/blog/rhadamanthys-malware-analysis/