The developers of the information stealer malware known as Rhadamanthys are actively changing its features, expanding its information gathering capabilities and also including a plugin system to make it more customizable.
This approach will not only transform it into a threat capable of delivering “distributor-specific needs,” but also make it more powerful, Check Point said. SAYS in a technical deepdive published last week.
Rhadamanthys, first documented by ThreatMon in October 2022, sold under the malware-as-a-service (MaaS) model in September 2022 by an actor with the alias “kingcrete2022.”
Commonly distributed through malicious websites that mirror genuine software advertised through Google ads, the malware is able to harvest large amounts of sensitive information from compromised hosts, including from in web browsers, crypto wallets, email clients, VPNs, and instant messaging apps. .
Cook AI-Powered Threats with Zero Trust – Webinar for Security Professionals
Traditional security measures just won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.
“Rhadamanthys represents a step in the emerging tradition of malware that tries to do as much as possible, and also a demonstration that in the business of malware, having a strong brand is everything,” the Israeli cybersecurity firm. THE audience in March 2022.
“The similarity can be seen on many levels: custom executable formats, the use of similar virtual filesystems, similar paths to some components, reused functions, similar use of steganography, use of LUA scripts, and general similarity design,” the researchers said. , which describes the development of malware as “rapid and ongoing.”
As of writing, the current working version of Rhadamanthys is 0.5.2, per the ILLUSTRATION on the Telegram channel of the actor’s threat.
Check Point’s review of versions 0.5.0 and 0.5.1 revealed a new plugin system that effectively makes it a Swiss Army knife, showing a shift towards modularization and customization. It also allows the thief’s customers to deploy additional tools tailored to their targets.
Thief components are both active, capable of opening processes and injecting additional payloads designed to facilitate information theft, and passive, designed to find and parse specific files. to retrieve saved credentials.
Another notable aspect is the use of a Lua script runner that can load up to 100 Lua scripts to extract as much information as possible from cryptocurrency wallets, email agents, FTP services, note-taking apps, instant messenger, VPN, two-factor authentication. apps, and password managers.
Version 0.5.1 goes one step further, adding clipper functionality to convert clipboard data into wallet addresses to transfer cryptocurrency payments to an attack-controlled wallet as well as an option to recover Google Account cookies, following the steps of Lumma Stealer.
“The author continues to improve the set of available features, trying to make it not only a thief but a multipurpose bot, by enabling it to load several extensions made by a distributor,” said security researcher Aleksandra “Hasherezade” Doniec.
“Additional features, such as a keylogger, and collecting information about the system, are also a step towards making it a general purpose spyware.”
Code Injection of AsyncRAT into aspnet_compiler.exe
The findings come as Trend Micro details new AsyncRAT infection chains that use a legitimate Microsoft process called aspnet_compiler.exe, which is used for precompiling web applications in ASP.NET, to covertly use the remote access trojan (RAT) through phishing attacks.
Similar to how Rhadamanthys brings code injection to running processes, the multi-stage process ends with the AsyncRAT payload being injected into a newly created aspnet_compiler.exe process to finally establish contact in a command-and-control (C2) server.
“The AsyncRAT backdoor has other capabilities depending on the embedded configuration,” security researchers Buddy Tancio, Fe Cureg, and Maria Emreen Viray said. “This includes anti-debugging and verification checks, installation persistence, and keylogging.”
It is also designed to scan specific folders within the application directory, browser extensions, and user data to check for the presence of crypto wallets. Furthermore, threat actors have been observed to rely on Dynamic DNS (DDNS) to deliberately obfuscate their activities.
“Using a dynamic host server allows threat actors to seamlessly update their IP addresses, strengthening their ability to remain undetected within the system,” the researchers said.