Cyble – Rhadamanthys: New Stealer Spreading Through Google Ads

MITRE Techniques

• [T1598] Spearphishing Attachment – “The Rhadamanthys stealer infection starts through spam emails containing a PDF attachment named “Statement.pdf”…”
• [T1204] User Execution – “When a user clicks the “Download Update” link, it downloads a malware executable from an URL …into the Downloads folder.”
• [T1059] Command and Scripting Interpreter – “The loader “Runtime Broker.exe” is a 32-bit PyInstaller executable…”
• [T1055] Process Injection – “The PE file is then injected into a new “Runtime Broker.exe” process using the CreateThread() API function.”
• [T1218] Rundll32 – “drops a DLL file named “nsis_unsibcfb0.dll” in the %temp% folder and launches it using the “rundll32.exe” with specific parameters…”
• [T1027] Obfuscated Files or Information – “The Binary_Stub_Replacer.pyc is a python compiled file which contains obfuscated raw data…”
• [T1497] Virtualization/Sandbox Evasion – “This check is designed to prevent the malware from being detected and analyzed in a virtual environment. If the malware detects that it is running in a controlled environment, it will terminate its execution.”
• [T1082] System Information Discovery – “The Rhadamanthys stealer now starts collecting system information by executing a series of Windows Management Instrumentation (WMI) queries. The collected information includes the computer name, username, OS version, RAM, CPU information, HWID, time zone, user and keyboard language, and others.”
• [T1083] Discovery File and Directory – “queries the directories of the installed browsers on the victim’s machine and searches for browser-related files such as browsing history, bookmarks, cookies, auto-fills, login credentials, etc.”
• [T1005] Data from Local System – “target the following crypto wallets… data from them” (and related browser data collection)
• [T1114] Email Collection – (listed in the article’s mapping as part of data targets including email clients)
• [T1071] Application Layer Protocol – “sends all the collected stolen information to the attacker’s C&C server” (C2 over application layer)
• [T1095] Non-Application Layer Protocol – (beacon/data exfiltration behavior implied by C2 activity)
• [T1105] Ingress Tool Transfer – (initial download of the loader/executable from a remote URL during infection)