A sneaky new information thief is sneaking onto users’ computers via redirects from Google Ads websites that pose as download sites for popular remote work software like Zoom and AnyDesk.
– Advertising –
The attackers behind the new strain of Rhadamanthys Stealer malware available for purchase on the dark web under the malware-as-a-service model use two delivery methods to propagate their payload, according to Cyble researchers uncovered in the Cyble study. blog post published Jan 12.
First, use carefully crafted phishing sites that pretend to be download sites not only for Zoom but also for AnyDesk, Notepad++ and Bluestacks. Another type is the more typical phishing emails, in which malware is delivered as a malicious attachment, the researchers say.
Both delivery methods pose a threat to the enterprise, as phishing, combined with human gullibility by unsuspecting enterprise employees, remains an effective way for attackers to “gain unauthorized access to corporate networks, which has become a serious problem,” they told me. .
Indeed, Verizon’s annual data breach survey found that in 2021, about 82% of all data breaches involved some form of social engineering, with attackers preferring to phish their targets via email more than 60% of the time.
“Very convincing” scam
Researchers have uncovered a number of phishing domains created by hackers to spread Rhadamanthys, most of which are legitimate links to install software from the various brands mentioned above. Some of the malicious links identified include: installing bluestacks[.]com, zoomus-installer[.]com, set-increase[.]com, set-any table[.]com and zoom-meetings-install[.]com.
“The threats behind this campaign…created a very convincing phishing webpage posing as legitimate websites to trick users into downloading thieving malware that performs malicious actions,” they wrote.
The researchers say if users fall for the bait, websites will download a setup file disguised as a legitimate installer to download the relevant apps, silently installing the thief in the background without the user’s knowledge.
In the more traditional aspect of campaign emails, attackers use spam emails that use a typical social engineering tool to describe the urgency of a response to a financial message. The emails claim that recipients are sent account statements with a Statement.pdf attachment, which they are asked to click on so they can respond with an “immediate response.”
If someone clicks on the attachment, a message is displayed saying it is “Adobe Acrobat DC Updater” and a download link titled “Download Update”. This link, when clicked, downloads the thief malware executable from the URL “https[:]\gold display case[.]com/Jan-extract[.]EXE” in the Downloads folder of the victim computer, the researchers say.
According to them, after running this file, the thief is deployed to extract sensitive data such as browser history and various account login credentials, including special technology for a crypto wallet.
Payload of Rhadamanthys
Rhadamanthys acts more or less like a typical information thief; however, it does have some unique characteristics that researchers identified when they observed it in action on the victim’s machine.
The researchers found that while the original installation files are in obfuscated Python code, the final payload decodes as shellcode as a 32-bit executable compiled with the Microsoft Visual C/C++ compiler.
The first step in the shellcode is to create a mutex object designed to ensure that only one copy of the malware is running on the victim’s system at any given time. It also checks to see if it’s running in a virtual machine, the researchers said, presumably to prevent the thief from being detected and analyzed in the virtual environment.
“If malware detects that it is running in a controlled environment, it will stop running,” they wrote. “Otherwise, he will continue and will carry out the thieves’ activities as intended. »
This action involves collecting system information such as computer name, user name, operating system version, and other information about the computer by running a series of Windows Management Instrumentation (WMI) queries. This is followed by querying the directories of installed browsers, including Brave, Edge, Chrome, Firefox, Opera Software, and others, on the victim’s computer to find and steal browser history, bookmarks, cookies, autofill, and login credentials.
The thief also has a specific mandate on various crypto wallets including Armory, Binance, Bitcoin, ByteCoin, WalletWasabi, Zap, and more. It also steals data from various browser extensions for cryptocurrency wallets, which are hard-coded into the thief’s binary, according to the researchers.
Other applications that Rhadamanthys targets are: FTP clients, email clients, file managers, password managers, VPN services, and email applications. The thief also takes screenshots of the victim’s car. According to the researchers, the malware ends up sending all the stolen data to the attackers’ command and control (C2) server.
Dangers for the company
Since the pandemic, company employees have generally become more geographically dispersed, creating unique security challenges. Software tools that make it easy for remote workers to collaborate, such as Zoom and AnyDesk, have become popular targets not only for app-related threats, but also for social engineering campaigns by attackers who want to capitalize on these challenges.
And while most corporate employees should already know more, phishing is still a very effective way for attackers to gain a foothold in a corporate network, the researchers say. For this reason, Cybel researchers recommend that all companies use security products to detect phishing emails and websites on their network. According to them, they should also be extended to mobile devices that have access to corporate networks.
Companies should educate employees about the dangers of opening attachments from untrusted sources, as well as downloading pirated software from the Internet, the researchers said. They should also stress the importance of using strong passwords and using multi-factor authentication whenever possible.
Finally, the Cyble researchers advised companies to generally block URLs such as Torrent/Warez sites that could be used to spread malware.