Swiss army knife of information stealers emerges

hadamanthys Malware


The developers of the information-stealing malware known as Rhadamanthys are actively improving its features, expanding its information gathering capabilities and also incorporating a plugin system to make it more customizable.

This approach not only transforms it into a threat capable of addressing “specific distributor needs,” but also makes it more powerful, says Check Point. said in a technical deep dive published last week.

Rhadamanthys, first documented by ThreatMon in October 2022, has already been sold in September 2022 under the malware-as-a-service (MaaS) model by an actor under the alias ‘kingcrete2022’.

The malware is typically distributed through malicious websites that mirror those of legitimate software advertised through Google ads. The malware can collect a wide range of sensitive information from infected hosts, including web browsers, crypto wallets, email clients, VPN and instant messaging apps. .

“Rhadamanthys represents a step in the emerging tradition of malware that tries to do as much as possible, and also a demonstration that in the malware industry, having a strong brand is everything,” the Israeli cybersecurity company said. noted in March 2022.

a subsequent research in the ready-made malware in August revealed that “design and implementation” overlap with that of the Hidden Bee coin miner.

“The similarity is apparent on many levels: custom executable formats, use of similar virtual file systems, identical paths to some components, reused functions, similar use of steganography, use of LUA scripts, and overall analog design,” the researchers said. , which describes the malware’s development as “rapid and continuous.”

At the time of writing, the current working version of Rhadamanthys is 0.5.2, according to the description on the threat actor’s Telegram channel.

Check Point’s analysis of versions 0.5.0 and 0.5.1 reveals a new plugin system that essentially makes it more of a Swiss Army knife, indicating a shift toward modularization and customization. This also allows the thieving customers to use additional tools tailored to their targets.

The stealer components are both active, capable of opening processes and injecting additional payloads designed to facilitate information theft, and passive, designed to search and parse specific files to retrieve stored credentials.

Another notable aspect is the use of a Lua script runner that can load up to 100 Lua scripts to steal as much information as possible from cryptocurrency wallets, email agents, FTP services, note-taking apps, instant messengers, VPNs and two-factor authentication. apps and password managers.

Version 0.5.1 goes one step further and adds clipper functionality to change clipboard data corresponding to wallet addresses to redirect cryptocurrency payments to an attacker-controlled wallet, as well as an option to restore Google account cookies, in the footsteps of Lumma Stealer.

“The author continues to enrich the set of available features and tries to make it not only a stealer, but also a multifunctional bot, by allowing it to load multiple extensions created by a distributor,” said security researcher Aleksandra “Hasherezade” Doniec.

“The added features, such as a keylogger and collecting information about the system, are also a step towards making it a general-purpose spyware.”

AsyncRAT’s code injection in aspnet_compiler.exe

The findings come after Trend Micro detailed new AsyncRAT infection chains that use a legitimate Microsoft process called aspnet_compiler.exe, used for precompiling ASP.NET web applications, to covertly deploy the Remote Access Trojan (RAT) through phishing attacks.

Similar to the way Rhadamanthys performs code injection into running processes, the multi-phase process culminates in the AsyncRAT payload being injected into a newly spawned aspnet_compiler.exe process to ultimately contact a command-and-control (C2) -server.

“The AsyncRAT backdoor has different capabilities depending on the embedded configuration,” said security researchers Buddy Tancio, Fe Cureg, and Maria Emreen Viray. “This includes anti-debugging and analysis checks, persistence setup, and keylogging.”

It is also designed to scan certain folders in the application folder, browser extensions and user data to check for the presence of crypto wallets. Furthermore, it has been observed that the threat actors rely on Dynamic DNS (DDNS) to deliberately cover up their activities.

“The use of dynamic host servers allows threat actors to seamlessly update their IP addresses, strengthening their ability to remain undetected within the system,” the researchers said.


#Swiss #army #knife #information #stealers #emerges

Notify of
Inline Feedbacks
View all comments
Previous Post
SaaS Security in 2024

Top 7 trends shaping SaaS security in 2024

Next Post
Pig Butchering Crypto Scam

Four US Citizens Indicted in $80 Million Pig Slaughtering Crypto Scam

Related Posts