Written by ARC Labs contributor, Shannon Mong
Threat Overview
Binary Defense ARC Labs’ threat researchers recently dissected a Rhadamanthys Stealer infection chain to uncover detection opportunities that defenders can leverage to strengthen organizational security. In this analysis, we provide general detection guidance and actionable queries for detecting Rhadamanthys Stealer.
Recent Campaign Insights
Rhadamanthys Stealer surfaced on underground forums in late 2023, advertised as a sophisticated data-stealing malware attributed to Russian threat actors. Primarily distributed through phishing emails and SEO poisoning of legitimate software downloads like Zoom and Notepad++, this stealer has shown versatility in initial access techniques.
In a recent campaign, attackers crafted phishing emails posing as prominent Israeli business newspapers, “Calcalist” and “Mako.” Using social engineering tactics, the emails urged recipients to respond to fabricated urgent requests, creating a sense of authenticity.
Infection Chain Analysis
Upon execution, Rhadamanthys Stealer initiates with the following command to gain system access:
“cmd.exe” /k move Almost Almost.cmd & Almost.cmd & exit
This command uses the move parameter to dynamically create and execute the malicious payload, “Almost.cmd”. This approach minimizes detection by obfuscating the payload path. The “Almost.cmd” file further contains obfuscated code critical to the stealer’s operations.
Discovery Tactics
The stealer uses tasklist.exe to enumerate current active processes, and findstr.exe to check for specific security software. Commands like the following illustrate this discovery process:
findstr /I “wrsa.exe opssvc.exe”
findstr /I “avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe”
These commands search for security-related processes to bypass. The command findstr /V “ZealandInvitationMonoMessage” Import further refines the search by excluding specific keywords to reduce redundancy.
By using legitimate Windows applications like findstr.exe and tasklist.exe, attackers evade initial suspicion while determining the presence of security software on the system.
Payload Deployment
Next, cmd.exe creates a directory and file titled internet.pif:
cmd /c md 561944
cmd /c copy /b ..\Reports + ..\Ontario + ..\Contacting + ..\Midlands + ..\Guestbook + ..\Placement + ..\Patricia + ..\Saving + ..\Addition + ..\Publisher + ..\Machine[…]
This merges files into a single binary to obfuscate and conceal the malicious payload. After creation, internet.pif launches a secondary file, InnoWave.pif, initially analyzed as AutoIt3.exe. AutoIt, typically used for script automation, now serves to launch code on the victim’s machine.
Process Injection
Process injection is employed to camouflage malicious processes, injecting the payload into OpenWith.exe using the VirtualProtect API.
Once injected, OpenWith.exe runs OOBE-Maintenance to access sensitive information, including browser and login data, and to capture screenshots. This program, part of the Windows setup suite, is used to disguise malicious activity.
Command-and-Control Communication
OOBE-Maintenance.exe reaches out to an IP address, 144.76.133[.]166, via port 8034, which ARC Labs confirmed as part of a Rhadamanthys Command-and-Control server. The malware then uses wmpnscfg.exe, a Windows Media Player process, to monitor keystrokes and maintain covert exfiltration of data via dllhost.exe.
Detection Guidance
Defenders can detect Rhadamanthys Stealer by monitoring unusual process executions and network connections, particularly for the commands and file structures noted above.
Additional Sources
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys