An updated version of the information-stealing malware known as Rhadamanthys is being used in phishing campaigns targeting the oil and gas industry.
“The phishing email used a unique vehicle event lure to deceive the Federal Transportation Agency in a PDF at a later stage in the infection chain, which mentioned a hefty fine for the event,” said Cofense researcher Dylan Duncan.
The email carries a malicious link that exploits an open redirect flaw to take recipients to a link hosting a purported PDF file, but in reality, the link is an image that, when clicked, downloads a stealer payload ZIP archive.
Rhadamanthys is written in C++ and is designed to establish connections with command and control (C2) servers in order to obtain sensitive data from infected hosts.
“This activity emerged within days of law enforcement taking down the LockBit ransomware group,” Duncan said. “While this may be coincidental, Trend Micro disclosed a Rhadamanthys variant in August 2023 that was related to the leaked The LockBit payload is bundled with the Clipper malware and cryptocurrency miner.
“Threat actors added a combination of information stealers and LockBit ransomware variants in a single Rhadamanthys bundle, which may indicate that the malware is evolving,” the company said. famous.
This development comes amid new families of stealing malware such as Sync-Scheduler and robbereven as existing strains like StrelaStealer are evolving as obfuscation and counter-analysis techniques improve.
There has also been a previous malicious spam campaign targeting Indonesia, which used bank-related lures to spread Agent Tesla malware to exfiltrate sensitive information such as login credentials, financial information and personal documents.
According to Check Point, Tesla agent phishing campaigns observed in November 2023 also set their sights on Australia and the United States, with the company attributing the operations to two African-American threat actors, tracked as Bignosa (a.k.a. Nosakhare Godson and Andrei Ivan) and Gods (aka Gods). GODINHO or Kmarshal or Kingsley Fredrick), the latter is a web designer.
“main character [Bignosa] The Israeli cybersecurity company said the group appeared to be part of a group carrying out malware and phishing campaigns targeting organizations and individuals, as evidenced by email business databases in the United States and Australia.
Agent Tesla malware distributed through these attack chains has been found to be protected by Cassandra Protector, which helps protect software programs from reverse engineering or modification efforts. The messages are sent via an open source webmail tool called RoundCube.
“As you can see from the descriptions of these threat actors’ actions, it doesn’t take any degree in rocket science to run a cybercriminal operation behind one of the most popular malware families of the past few years,” Check Point said.
“This is an unfortunate occurrence due to the low barrier to entry, so anyone willing to incite victims through spam campaigns to launch malware can do so.”
