Malware-as-a-Service (MaaS) has been a hot topic recently. This category on the Dark Web includes the eponymous Rhadamanthys, a new malware that is gaining popularity. It steals users’ data and spreads via Google Ads. Cyble analysts conducted a thorough analysis of the virus on their blog.
Hackers mainly use two methods to deliver a payload of malicious code to victims’ computers. The first is method is through carefully created phishing sites pretending to be well-known domains that we use to download softwares such as Zoom, AnyDesk, Notepad++, etc. The addresses we would visit in this case are: bluestacks-install[.]com, zoomus-install[.]com, install-zoom[.]com, install-anydesk[.]com and zoom-meetings-install[.]com. We are often redirected to the above domains by Google Ads. If the user is fooled, they will download the software and then launch it. They may not even realize they are installing a virus. The app is installed, meanwhile in the background, silently, the malware that steals information without the user’s knowledge is installed as well.
The second method is to send phishing emails with malware attached in a PDF file. Upon opening the attachment, we will be prompted to update Adobe via the link provided. Then it works similarly to the first method. We download the .exe file and install the ‘info stealer’ in the background.
Rhadamanthys works like a classic ‘info stealer’ malware. The installation files are shadowed with Python code, and the payload itself is a shellcode compiled with Microsoft Visual C/C++. Once launched, it checks if the malware wasn’t launched on a virtual machine to avoid analysis in secure environments. If this happens, the related processes will be terminated immediately. If, however, the software was launched on the victim’s computer, information such as computer name, user name, system version and other machine data will be collected (WMI queries are used). In addition, browser data is collected – history, bookmarks, cookies, login data and even information from cryptocurrency wallets. Rhadamanthys also reaches out to FTP, VPN, mail and instant messaging clients for data. The stolen information is sent to the C2 server.
Statistically, phishing is the biggest threat for ordinary users. Due to the current global situation, remote working tools have become very popular, hence it is not surprising that this became the weapon of choice to spread the malware. However, let’s remember to be cautious about opening attachments and installing programs from unknown sources or ones we doubt.
Sources:
Rhadamanthys: New Stealer Spreading Through Google Ads
Sneaky New Stealer Woos Corporate Workers Through Fake Zoom Downloads
