Rhadamanthys Stealer malware evolves with more powerful features

Trending 2 months ago

Data theft

The developers of nan Rhadamanthys information-stealing malware person precocious released 2 awesome versions to adhd improvements and enhancements crossed nan board, including caller stealing capabilities and enhanced evasion.

Rhadamanthys is simply a C++ accusation stealer that first emerged successful August 2022, targeting email, FTP, and online banking work relationship credentials.

The stealer is sold to cybercriminals via a subscription model, truthful it is distributed to targets utilizing a assortment of channels, including malvertizing, laced torrent downloads, emails, YouTube videos, and more.

Although it initially didn't person overmuch attraction successful nan crowded info-stealers market, Rhadamanthys continued to improve, building upon its modular quality to adhd caller features arsenic needed.

Researchers at Check Point have looked into nan 2 latest versions of Rhadamanthys and reported nan summation of galore changes and features that grow its stealing capabilities and spying functions.

Actively developed malware

Check Point analyzed Rhadamanthys type 0.5.0 and reports that it introduced a caller plugin strategy that allows higher levels of customization for circumstantial distribution needs.

Plugins could adhd a divers scope of capabilities to nan malware while allowing cybercriminals to minimize their footprint by only loading those they request successful each case.

The caller plugin strategy indicates a displacement towards a much modular and customizable model arsenic it allows threat actors to deploy plugins tailored to their targets, counteracting information measures identified during recon stages aliases exploiting circumstantial vulnerabilities.

A plugin bundled pinch Rhadamanthys is 'Data Spy,' which tin show for successful login attempts to RDP and seizure nan victim's credentials.

The 0.5.0 merchandise besides brought improved stub building and customer execution process, fixes connected nan strategy that targets cryptocurrency wallets, and fixes connected nan Discord token acquisition.

Targeted crypto appsTargeted crypto apps (Check Point)

Other notable improvements see enhanced information stealing from browsers, updated hunt settings connected nan personification panel, and an action to modify Telegram notifications.

Check Point notes that nan malware loader has been rewritten to see anti-analysis checks, an embedded configuration, and a package pinch modules for nan adjacent shape (XS1).

Further study revealed nan beingness of nan pursuing modules loaded by XS1, 5 of which are caller successful Rhadamanthys type 0.5.0 and attraction connected evasion.

ModulesModules loaded by XS1 (Check Point)

The XS1 loader unpacks those modules and establishes connection pinch nan C2 (command and control) server, from wherever it receives and launches further modules, including passive and progressive stealers.

Passive stealers are little intrusive info-stealing components that hunt done directories, show applications for delicate information exchange, personification entries, etc.

Apps targeted by nan passive stealersApps targeted by Rhadamanthys' passive stealers (Check Point)

Active stealers are much invasive and impact keylogging, surface capturing, and codification injection into moving processes to exfiltrate arsenic overmuch information arsenic possible.

Apps targeted by nan malware's progressive stealersApps targeted by nan malware's progressive stealers (Check Point)

While Check Point's study of type 0.5.0, Rhadamanthys operators released type 0.5.1, which is simply a motion of very progressive development.

Check Point didn't person nan chance to dive heavy into nan caller type of nan info-stealer, but nan caller features announced by nan cybercriminals are impressive, moreover if not confirmed yet.

In short, 0.5.1 introduces:

  • New Clipper plugin, that modifies clipboard information to divert crypto payments to nan attacker.
  • Telegram notification options to exfiltrate nan wallet ace and seed successful nan exfiltrated ZIP
  • Ability to retrieve deleted Google Account cookies (first reported here)
  • Ability to evade Windows Defender, including unreality protection, by cleaning its stub.
Apps targeted by nan caller Clipper pluginApps targeted by nan caller Clipper plugin (Check Point)

The improvement of Rhadamanthys is moving quickly, pinch each caller type adding features that make nan instrumentality much formidable and much inviting to cybercriminals.

It would not beryllium astonishing to find threat actors switching to Rhadamanthys arsenic its improvement evolves.