Distribution of Rhadamanthys Malware Disguised as a Game Developed with Ren’Py

MITRE Techniques

• [T1204] User Execution – Malicious ZIP distributed via MediaFire (“Free Download Files.zip”) persuades users to run lnstaIer.exe as if installing a game. Quote: ‘When a user executes the legitimate executable file “lnstaIer.exe”, this file internally loads the legitimate script “lnstaIer.py”…’
• [T1036] Masquerading – Malicious content disguised as a legitimate Ren’Py game and legitimate executables (lnstaIer.exe, UIS4tq7P.exe) to appear benign. Quote: ‘This attack disguises itself as a normal game file, but when executed, a malicious loader is activated…’
• [T1129] Shared Modules – Abuse of Ren’Py “python-packages” import mechanism to automatically import malicious __init__.py from datapython-packagesplanner. Quote: ‘the “__init__.py” file in the “datapython-packagesplanner” path is imported automatically…’
• [T1218] Signed Binary Proxy Execution (or Living-off-the-Land) – Use of legitimate helper executable (OLEViewer-like UIS4tq7P.exe) to load iviewers.dll and host injected Rhadamanthys in a spawned .NET process. Quote: ‘When the “UIS4tq7P.exe” file is executed, it loads the “iviewers.dll” file located in the same path and then creates a .NET process as a child process. Afterward, the Rhadamanthys malware is injected into this process.’
• [T1560] Archive Collected Data (and Decompression) – The attacker stores malicious scripts inside archive.rpa and uses decompression to extract script.rpy and other payloads into a .tmp folder. Quote: ‘a folder named “.tmp” is created, and the compressed file is decompressed.’
• [T1112] Modify Registry (Environment Discovery/Sandbox Evasion) – Scripts check VM-related process and registry information via file_system.py and sandbox.py to detect virtualized or analysis environments. Quote: ‘file_system.py Script to check VM-related process and registry information (Linked to sandbox.py)’
• [T1046] Network Service Discovery / [T1016] System Network Configuration Discovery – internet_access.py used to check external internet connection as part of environment checks prior to payload execution. Quote: ‘internet_access.py Script for checking external internet connection’
• [T1140] Deobfuscate/Decode Files or Information – The .key configuration file is BASE64 decoded and decrypted to obtain execution parameters (file names, passwords). Quote: ‘the “.key” file is found and decoded in BASE64. The file is then decrypted to extract the file name, password, and file name to be executed…’