Threat Research

Rhadamanthys v0.5.0 – a deep dive into the stealer’s components – Check Point Research

Checkpoint

Rhadamanthys v0.5.0 is a modular information stealer with a broader feature set, including spying capabilities, a plugin system, and a multi-stage loading chain. The Check Point Research deep dive explains how its components load, decrypt, and execute across 32- and 64-bit environments, and how stolen data is exfiltrated to the C2. #Rhadamanthys #KeePassHax

Keypoints

  • The 0.5.0 release expands Rhadamanthys with observer mode, diversified stub construction, and a new plug-in system to tailor usage for distributors.
  • A multi-stage loading chain begins with a rewritten 32-bit initial loader that unpacks and passes configuration to XS1 (Stage 2) modules, enabling downloads of the final stealer stages.
  • The framework adds TLS-based string decoding and TLS storage to hold temporary buffers for deobfuscation, a notable evasion/obfuscation tactic.
  • Raw syscalls and Heaven’s Gate are used to implement cross-bitness execution and bypass hooks, with patches to NTDLL to disable ETW and other monitoring.
  • Stage 3 (XS2) centers on coredll.bin as the main stealer controller, coordinating multiple built-in and Lua-scripted stealers, and supporting .NET components and PowerShell scripts.
  • The malware distinguishes passive (file/profile-based) stealers and active stealers (processes, injections), targeting Chrome, Firefox, KeePass, Telegram, Discord, and more, with a Lua-based extension system and a Clipper plug-in in later versions.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The loader downloads the next package (package #2) with the stealer modules. ‘The loader downloads the next package (package #2) with the stealer modules.’
  • [T1071.001] Web Protocols – The netclient is responsible for connecting to the C2 and downloading the payload. ‘The netclient is responsible for connecting to the C2 and downloading the payload.’
  • [T1041] Exfiltration Over C2 Channel – The results of all the executed stealers are collected and later uploaded to the C2. ‘The results of all the executed stealers are collected in a global structure. They are posted into the queue and later uploaded to the C2.’
  • [T1140] Deobfuscation for Information – TLS-based string handling is used to decode obfuscated data. ‘TLS (Thread Local Storage) for temporary buffers… used, among others, for decoding obfuscated strings.’
  • [T1027] Obfuscated/Compressed Files and Information – Strings are obfuscated and decrypted later; the article notes obfuscation decisions during 0.5.0. ‘the author decided to obfuscate them (more details in “String deobfuscation and the use of TLS”).’
  • [T1055] Process Injection – The loader creates a new 32-bit process and implants Stage 2; the alternative entry path injects into a target process via an APC Queue. ‘The loader creates a new 32-bit process, and implants there the Stage 2 module… The alternative entry point leads to the execution of the main function… in the APC Queue of the targeted process, for execution.’ and ‘using the Heaven’s Gate technique.’
  • [T1059] Command and Scripting Interpreter – Rhadamanthys supports multiple scripting languages, including LUA, PowerShell, and .NET plugins. ‘The main module can load up to 100 LUA scripts… PowerShell scripts and plugins… .NET assemblies.’
  • [T1562] Impair Defenses – The malware patches NTDLL to disable Event Tracing (ETW) and other monitoring. ‘patching NTDLL… disable Event Tracering (ETW)’; ‘EtwEventWrite’ patched to return 0.

Indicators of Compromise

  • [File] Targeted modules and payloads – KeePassHax.dll, coredll.bin, netclient.x86.bin, proto_x86.bin, stubmod.bin, taskcore.bin, loader.dll, runtime.dll, phexec.bin, etc.
  • [Process] Injection targets and related executables – L”%Systemroot%system32dialer.exe”, L”%Systemroot%system32openwith.exe”, L”%Systemroot%system32dllhost.exe”, L”%Systemroot%system32rundll32.exe”
  • [SQLite] Local databases and data stores used by stealers – cookies.sqlite, places.sqlite, and other SQLite-based data stores referenced by Chrome/Mozilla components
  • [DLL/EXE] KeePassHax.dll and associated loader/stub modules – KeePassHax.dll, stubmod.bin, netclient.x86.bin,proto_x86.bin
  • [Hash] Module hashes (examples) – bb8bbcc948e8dca2e5a0270c41c062a29994a2d9b51e820ed74d9b6e2a01ddcf, 22a67f510dfb7ca822b5720b89cd81abfa5e63fefa1cdc7e266fbcbb0698db33
  • [PE/NS] DLLs and binaries in package #2 – coredll.bin (XS2), KeePassHax.dll, runtime.dll, loader.dll

Read more: https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint