This is part of an elaborate trick to get victims to download a new malware strain, dubbed “Rhadamanthys Stealer,” that is hidden in legitimate software. Rhadamanthys is also being spread through spam emails that contain a malicious PDF file. Once it gets on victims’ devices, the malware targets crypto wallets and collects vast amounts of data from victims. This data is surreptitiously sent to a server controlled by the threat actors. Multi-purpose info stealers, like Rhadamanthys, are not new, but they seem to be growing popular. In April 2022, the Cyware Threat Intelligence team discovered a multi-purpose info stealer named FFDroider, that was used to hijack victims’ social media accounts. What sets Rhadamanthys apart is the schemes that cybercriminals are using to spread the malware. According to Cyble researchers, the malware is designed to escape detection.
Phishing Sites Impersonating Reputable Websites
One of the ways the cybercriminals behind Rhadamanthys are spreading it is by creating “convincing” phishing sites that spoof the websites of popular software companies like Zoom Bluestacks, Notepad++, and AnyDesk. These dubious sites appear on Google Ads. When victims visit the site and try to install the app, Rhadamanthys is secretly installed on their system. Cyble found several domains the threat actors use to spread Rhadamanthys. They include:
bluestacks-install[.]com zoomus-install[.]com install-zoom[.]com install-anydesk[.]com install-anydeslk[.]com zoom-meetings-install[.]com zoom-meetings-download[.]com anydleslk-download[.]com zoomvideo-install[.]com zoom-video-install[.]com istaller-zoom[.]com noteepad.hasankahrimanoglu[.]com[.]tr
The threat actors behind Rhadamanthys designed it to ensure that only one copy of the info stealer runs on a victim’s system at a time. The malware even checks if it is running on a virtual machine (VM). “This check is designed to prevent the malware from being detected and analyzed in a virtual environment. If the malware detects it is running in a controlled environment, it will terminate its execution,” Cyble said in a blog post.
Using Spam Email to Spread Malware
Another way cybercriminals are spreading Rhadamanthys is through a PDF attachment in spam emails. The attachment, named “Statement.pdf,” is passed off as a document containing purchase orders and invoices. The spam email lures victims to open the malicious attachment, saying, “Endeavour to confirm the correctness of the invoice total and your bank account details.” When victims attempt to open the PDF, a message pops up, seemingly from “Adobe Acrobat DC Updater,” directing them to download an update or download the file. If victims click “Download Update,” a file is downloaded to their “Downloads” folder. When the file is executed, it runs the Rhadamanthys malware, which steals private information from the victim’s device.
Rhadamanthys Malware Steals a Trove of Information
The Rhadamanthys malware can collect a vast amount of data from a device, including system information such as the computer’s name, hardware specs, keyboard language, time zone, and other data. The malware also “queries the directories of installed browsers on the victim’s machine and searches for browser-related files such as browsing history, bookmarks, cookies, auto-fills, login credentials, etc.,” the Cyble team wrote. The malware targets various browsers, including popular ones like Microsoft Edge, Google Chrome, Mozilla Firefox, Opera, and Brave. Even less popular browsers like CocCoc, Sleipnir, and Pale Moon don’t escape the crosshairs of this info stealer. Rhadamanthys also steal data from crypto wallets. It was found to have “specific functionality” to target crypto wallets like Binance, Zcash, WalletWasabi, Armory, Electron, and several others. It can swipe data from popular crypto wallet extensions like Exodus Wallet, MetaMask, and many others, Cyble said. This info stealer also goes after various applications such as popular FTP clients, email clients, password managers, VPN clients, instant messaging, and more. It also takes screenshots of the victim’s machine. All this data is forwarded to a command center server controlled by the threat actors.
Security Recommendations
Cyble advised users to be cautious of spam emails and suspicious websites. Always verify the legitimacy of emails and websites before opening or downloading anything from them, and avoid downloading pirated software. Also, ensure your operating system and software are updated with the latest security patches. Cyble further recommends using strong passwords and enabling multi-factor authentication across your accounts. The creators of Rhadamanthys are making it available to cybercriminals as Malware-as-a-Service (MaaS). MaaS is big on dark web hacker forums where stealers like REDLINE STEALER and RACOONSTEALER are free to download. Stopping any info stealer is about nipping the initial infection vector in the bud. It is important for organizations to use security products that can detect phishing emails and websites, Cyble said. We recommend you use a good antivirus. Check out our guide to the best antivirus solutions for our top picks.