Threat Research

Technical Analysis of Rhadamanthys Obfuscation Techniques

Securonix

Rhadamanthys is a two‑component information stealer consisting of a loader and a main module that exfiltrates credentials from KeePass, browsers, VPN clients, chat apps and cryptocurrency wallets. It employs VM‑based obfuscation, a custom embedded file system, and multiple encryption layers, while exposing weaknesses in its network implementation that can be exploited. #Rhadamanthys #HiddenBee

Keypoints

  • Rhadamanthys comprises a loader and a main module, with the main module responsible for exfiltrating collected credentials.
  • The malware uses complex anti‑analysis techniques, including a virtual machine (Quake III VM) to obfuscate code.
  • KeePass and cryptocurrency wallets are among the credential sources targeted by Rhadamanthys.
  • One loader variant uses a VM to shield protected code blocks, and the malware implements a Hidden Bee format with an embedded file system.
  • Both loader and main module feature an embedded file system and a set of embedded modules to support operation.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The loader decrypts its configuration using the RC4 algorithm and proceeds with the download process of the main module. “The loader decrypts its configuration using the RC4 algorithm and proceeds with the download process of the main module.”
  • [T1497] Virtualization/Sandbox Evasion – One variant uses a virtual machine (Q3VM) to obfuscate code and hide certain details. “one of them, Rhadamanthys uses a virtual machine (Q3VM) in order to obfuscate its code and hide certain code details.”
  • [T1055] Process Injection – The loader/injected modules inject or execute code into other processes (e.g., via regsvr32). “Module, which injects code to another process (regsvr32).”
  • [T1555.003] Credentials in Password Stores – KeePass credential exfiltration. “KeePassHax – C# module to exfiltrate credentials of password management software KeePass.”
  • [T1071.001] Web Protocols – Main module uses WebSocket protocol for C2 communications. “the main module uses the Websocket protocol.”
  • [T1041] Exfiltration Over Unencrypted/Exfiltration Over C2 Channel – The payload is delivered via a JPEG image over HTTP containing the encrypted main module; the C2 uses a multi‑layer decryption/decompression process. “The command-and-control server replies with a JPEG image, which contains the (encrypted) main module.”

Indicators of Compromise

  • [SHA256 Hash] Rhadamanthys Loader – 3300206b9867c6d9515ad09191e7bf793ad1b42d688b2dbd73ce8d900477392e, aebb1578371dbf62e37c8202d0a3b1e0ecbce8dd8ca3065ab26946e8449d60ae, and 1 more hash
  • [URL] Command-and-Control server – hxxp://45[.]66.151.81/blob/xxx.png, hxxp://141[.]98.82.254/blob/is4mlw.suqp, and 1 more URL

Read more: https://www.zscaler.com/blogs/security-research/technical-analysis-rhadamanthys-obfuscation-techniques

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint