Thursday, December 5, 2024
spot_img

CopyRh(ight)adamantys: Uncovering a Large-Scale Campaign Using the Latest Version of The Rhadamanthys Stealer: Rhadamanthys.07 – Check Point

spot_img
spot_img
- Advertisement -

Check Point Research recently identified a large-scale phishing campaign using a new version of the infamous Rhadamanthys Stealer, a sophisticated malware designed to extract data from infected machines. The attackers masquerade as various legitimate companies, alleging that victims have committed copyright infringements on their personal Facebook pages. Using falsified Gmail accounts sending emails from these well-known companies, the email addresses and language are customized per each target to inform the victim of their supposed copywriting violation.

In this blog, we explore the phishing campaign, the tactics employed by the attackers, and the updates introduced in the latest version of Rhadamanthys.

Check Point Research Tracks the Use of Rhadamanthys

Throughout 2024, Check Point Research has been monitoring the activities of various threat actors utilizing the Rhadamanthys stealer. Notably, the stealer was used by threat actors Void Manticore, an Iranian group operating in regions like Israel and Albania. In one instance tied to Handala, a hacktivist group linked to Void Manticore, the stealer was distributed under the guise of a software update.

In July 2024, Check Point Research identified a new cluster of activity using an updated version of Rhadamanthys—Rhadamanthys 0.7.

The Malware Attack

The newly identified cluster is characterized by spear-phishing emails from Gmail accounts, allegedly from well-known companies claiming supposed copyright violations. These emails, which appear to come from the legal representatives of the impersonated companies, accuse the recipient of misusing their brand on the target’s social media page and request the removal of specific images and videos. The removal instructions direct recipients to download a file, which triggers the infection and installs the latest version of the Rhadamanthys stealer.

Copyright campaign infection chain

The Use of AI

According to the stealer’s author, the new version includes sophisticated features, including AI engines. However, upon investigation, Check Point Research determined that the malware does not use modern AI engines but much older classic machine learning, typical for OCR (optical character recognition) software.

Interestingly, the attackers likely use automated tools, possibly with AI enhancements, to generate the phishing content and the numerous Gmail accounts required. While most communications are in the recipient’s local language or English, inaccuracies occur—one email directed at an Israeli target was mistakenly written in Korean instead of Hebrew, with only the victim’s name accurately localized.

Phishing email written in Korean mistakenly sent to a target in Israel.

A Global Reach

At the same time that Check Point Research discovered the phishing campaign, Check Point themselves received reports of phishing lures mimicking Check Point-branded emails, indicating further deployment of Rhadamanthys.

The phishing email purports to be from Check Point.

The campaign demonstrates a vast geographic reach, affecting targets across the U.S., Europe, the Middle East, East Asia, and South America. Our observations, however, are limited to our customers who were targeted by the campaign, leading us to believe that this may be part of a much larger operation with potentially far-reaching consequences.

Map of targeted countries according to Check Point’s telemetry.

An alarming aspect of this campaign is the sheer volume of impersonated emails. Our research identified hundreds of phishing attempts targeting various organizations, each email sent from a different address to a different contact.  Nearly 70% of impersonated companies were within the entertainment, media, technology, and software sectors.   This is possibly due to the fact that as those sectors have high online presence and are more likely to send such requests than other sectors. These high-profile sectors also have frequent copyright-related communications, making such phishing attempts appear more credible.

The Attacker Behind CopyRh(ight)adamantys Campaign

Although Rhadamanthys was previously linked to nation-state threat actors, our analysis indicates that it is likely a cybercrime group drives this CopyRh(ight)adamantys campaign. Several factors support this conclusion: the campaign’s broad scope and the use of malware from underground forums point to financial gain as the primary motive rather than espionage or political influence. Also, this campaign lacks the selectivity usually seen in state-sponsored actions, which typically target high-value assets such as government agencies or critical infrastructure.

Conclusion

As we continue to analyze this large-scale phishing campaign, it’s clear that the theme of copyright infringement serves as an effective lure for spreading the Rhadamanthys info stealer due to its credibility of topic. The methods employed in this campaign raise serious concerns about the evolving landscape of phishing threats.

Integrating Check Point’s Threat Emulation, Harmony Endpoint, and Harmony Email and Collaboration offers robust protection against cyber threats. These solutions effectively safeguard organizations from potential breaches and data compromise by delivering thorough coverage of attack tactics and file types and ensuring high-level endpoint security. With comprehensive inline protection against malicious emails, businesses can operate with greater confidence, knowing that their security measures are well-equipped to handle emerging threats.

Check Point customers remain protected from Rhadamanthys stealer with the following protections:

Threat Emulation 

  • InfoStealer.Wins.Rhadamanthys.ta.V
  • InfoStealer.Wins.Rhadamanthys.*

Harmony Endpoint

InfoStealer.Wins.Rhadamanthys.*

Covered By: NCN MAGAZINE / Check Point

If you have an interesting Article / Report/case study to share, please get in touch with us at editors@roymediative.com , roy@roymediative.com98113468469625243429

- Advertisement -
spot_img
spot_img
spot_img