Keypoints
- Rhadamanthys was distributed via a fake website posing as a groupware installer and promoted through search engine ads.
- The malware employs an indirect syscall technique to bypass user‑mode API hooks used by security products.
- It memory‑maps a clean copy of ntdll.dll, writes the syscall stub and syscall number into registers, then branches to the syscall instruction in the mapped ntdll region.
- Rhadamanthys injects into Windows system processes (e.g., %system32%dialer.exe, %system32%rundll32.exe) and later into programs under C:Program FilesWindows Media Player.
- The final payload functions as an infostealer, exfiltrating harvested data to a C2 server (147.124.220[.]237:8123).
- AhnLab MDS detects the behavior as Injection/MDP.Event.M10231 and flags the sample (MD5: 9437c89a5f9a51a4ff6d6076083fa6c9).
MITRE Techniques
- [T1189] Drive-by Compromise – Distribution via a fake website promoted in search ads to trick users into executing the installer: ‘created a fake website to resemble the original website and exposed the site to the users using the ad feature in search engines.’
- [T1204.002] User Execution: Malicious File – Users are lured into running the installer downloaded from the fake site, enabling initial execution: ‘distribution of Rhadamanthys under the guise of an installer for groupware.’
- [T1106] Native API – Malware manipulates native syscall invocation by manually saving the stub and syscall number to registers and calling the syscall in ntdll to evade user‑mode hooks: ‘the stub code and the system call number are manually saved to the register… branches to the address with the syscall command in the ntdll.dll area.’
- [T1055] Process Injection – The malware injects into legitimate Windows processes to hide and persist its execution: ‘injects itself into the normal Windows system program dialer.exe in the %system32% path’ and targets other system executables.
- [T1005] Data from Local System – Acts as an infostealer to collect user information from the infected PC: ‘ultimately carries out its role as an infostealer, exfiltrating the user’s information from the PC.’
- [T1041] Exfiltration Over C2 Channel – Collected data is sent to a remote C2 server and port: ‘C2 147.124.220[.]237:8123.’
Indicators of Compromise
- [MD5] sample hash – 9437c89a5f9a51a4ff6d6076083fa6c9
- [C2] command-and-control – 147.124.220[.]237:8123
- [File path] injection targets – %system32%dialer.exe, %system32%rundll32.exe (also targets %system32%openwith.exe and %system32%dllhost.exe)
- [File path] secondary execution targets – C:Program FilesWindows Media Playerwmpshare.exe, C:Program FilesWindows Media Playerwmpnscfg.exe
- [Detection] behavioral/file detections – Injection/MDP.Event.M10231, Trojan/Win.Malware-gen.R637934
Rhadamanthys is spread using a socially engineered fake installer hosted on an impersonating website promoted via search‑engine ads; victims who run the installer begin execution on the host. To avoid detection, the malware opens and memory‑maps an unhooked copy of ntdll.dll from disk, then manually writes the syscall stub and corresponding system call number into CPU registers and branches to the syscall instruction within the mapped ntdll region, thereby bypassing user‑mode API hooks that many security products rely on. After achieving execution, the malware injects into legitimate Windows processes (notably %system32%dialer.exe, %system32%rundll32.exe, and others), later propagating execution into programs under C:Program FilesWindows Media Player (wmpshare.exe, wmpnscfg.exe), and performs information‑stealing actions that exfiltrate collected data to a remote C2 (147.124.220[.]237:8123).
AhnLab’s sandbox (MDS) detects this behavior as Injection/MDP.Event.M10231 and identifies the sample (MD5 9437c89a5f9a51a4ff6d6076083fa6c9), enabling analysts to observe the indirect syscall technique, process injection chain, and data exfiltration to inform defensive measures and detection rules.
Read more: https://asec.ahnlab.com/en/63864/