Keypoints
- Rhadamanthys was distributed via a fake site mimicking legitimate groupware and promoted using search-engine advertising.
- The malware employs an indirect syscall technique: it maps a clean copy of ntdll.dll into memory and branches to syscall instructions to bypass user-mode hooks.
- It injects code into legitimate Windows processes (e.g., %system32%dialer.exe, openwith.exe, dllhost.exe, rundll32.exe) and into Windows Media Player binaries (wmpshare.exe, wmpnscfg.exe).
- The primary objective is information theft (infostealer), capturing user data and exfiltrating to a C2 at 147.124.220[.]237:8123 over common ports/protocols.
- AhnLab MDS detects the behavior in sandbox as Injection/MDP.Event.M10231 and flags the sample MD5 9437c89a5f9a51a4ff6d6076083fa6c9.
- The indirect syscall approach hides system-call stubs and numbers in registers and branches into the mapped ntdll memory area to execute syscalls from unhooked code.
- Detection and user recognition are hindered because the malware masquerades as a legitimate installer and uses native Windows binaries for execution and persistence.
MITRE Techniques
- [T1189] Drive-by Compromise – The attacker used a fake site advertised via search-engine ads to expose users to the payload [‘The attacker created a fake site similar to the real site and used the advertising function of the search engine to expose it to users and distribute it.’]
- [T1204] User Execution – Victims are tricked into running the disguised groupware installer downloaded from the fake site [‘Users are tricked into executing the malware by visiting the fake site and downloading the disguised groupware installation program.’]
- [T1027] Obfuscated Files or Information – Uses indirect syscall mapping and register-stored stub/code to hide real system call usage from monitoring tools [‘The indirect syscall technique can be considered a form of obfuscation, as it hides the true intent of the system calls from security monitoring tools.’]
- [T1055] Process Injection – Injects malicious code into legitimate Windows system processes to run payloads stealthily [‘The malware injects malicious code into legitimate Windows system programs such as dialer.exe, openwith.exe, dllhost.exe, and rundll32.exe.’]
- [T1036] Masquerading – Disguises payload as a legitimate groupware installer and places code into normal application paths to avoid suspicion [‘The malware disguises itself as a legitimate groupware installation program and injects its payload into normal programs in the “C:Program FilesWindows Media Player” path.’]
- [T1543] Create or Modify System Process – Alters or uses system processes for persistence and execution on the host [‘The malware establishes persistence by utilizing SystemV or SystemD startup scripts and injecting its code into system processes.’]
- [T1056] Input Capture – As an infostealer, it likely captures user inputs and credentials from the infected host [‘Rhadamanthys malware is likely to capture user input, including credentials and other sensitive information.’]
- [T1043] Commonly Used Port – Communicates with C2 over a common port (8123), facilitating C2 connectivity [‘The malware communicates with its C2 server using a commonly used port (8123).’]
- [T1071] Standard Application Layer Protocol – Uses typical network protocols (TCP/UDP) for C2 communications [‘The malware communicates with its C2 server over TCP or UDP.’]
- [T1070.004] File Deletion – May remove or modify files/timestamps to reduce forensic traces [‘The malware may delete files or modify timestamps to avoid detection.’]
- [T1022] Data Encrypted – Stolen data may be encrypted prior to exfiltration to the C2 server [‘Stolen data may be encrypted before being exfiltrated to the C2 server.’]
Indicators of Compromise
- [MD5] Sample hash – 9437c89a5f9a51a4ff6d6076083fa6c9
- [C2 IP:Port] Command-and-control server – 147.124.220[.]237:8123
- [Injected process paths] Injection targets – %system32%dialer.exe, %system32%rundll32.exe (also openwith.exe, dllhost.exe)
- [Dropped/hosted binaries] Windows Media Player targets – C:Program FilesWindows Media Playerwmpshare.exe, C:Program FilesWindows Media Playerwmpnscfg.exe
Rhadamanthys is distributed by hosting a fake groupware installer on a malicious site promoted via search-engine ads; victims download and run the installer (user execution), which begins by mapping a clean copy of c:windowssystem32ntdll.dll into its process memory. Instead of performing standard user-mode API calls that pass through hooked stubs, the malware writes the syscall stub and the syscall number directly into registers and branches into the mapped ntdll memory to execute the syscall instruction from unhooked code, effectively bypassing user-mode hooks and many endpoint detections.
After gaining execution, the payload injects into legitimate Windows processes located in %SYSTEM32% (examples: dialer.exe, openwith.exe, dllhost.exe, rundll32.exe) and re-injects into binaries under C:Program FilesWindows Media Player (wmpshare.exe, wmpnscfg.exe) to run stealthily. The primary objective is information theft: the infostealer captures user data and communicates with a C2 at 147.124.220[.]237:8123 over common ports/protocols; exfiltrated data may be encrypted and the malware may perform cleanup actions to remove indicators.
AhnLab reports sandbox detection as Injection/MDP.Event.M10231 and provides the MD5 9437c89a5f9a51a4ff6d6076083fa6c9 for the observed sample. Defensive focus should be on blocking the malicious distribution sites/ads, monitoring for atypical ntdll mappings and direct syscalls, detecting process injections into trusted system binaries, and network/port-based C2 indicators.
Read more: https://asec.ahnlab.com/ko/63412/