The developers of the information-stealing malware known as Rhadamanthys are actively iterating on its functionality, expanding its information-gathering capabilities and incorporating a plug-in system to make it more customizable.
This approach not only transforms it into a threat that meets “specific dealer needs,” but also makes it more effective, Check Point said in a technical deep dive published last week.
Rhadamanthys was first recorded by ThreatMon in October 2022. As early as September 2022, an attacker with the pseudonym “kingcrete2022” sold the virus in a malware-as-a-service (MaaS) model.
該惡意軟體通常透過鏡像透過Google 廣告宣傳的正版軟體的惡意網站進行分發,能夠從受感染的主機(包括網路瀏覽器、加密錢包、電子郵件用戶端、VPN 和即時通訊應用程式)獲取各種敏感information. .
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
The Israeli cybersecurity company noted in March 2022: “Rhadamanthys represents a step in the emerging tradition of malware trying to do as much as possible and shows that in the malware industry, having a strong brand is everything.”
A subsequent investigation into the off-the-shelf malware in August revealed that its “design and implementation” overlapped with that of the Hidden Bee coin miner.
“The similarities are evident on many levels: custom executable formats, use of similar virtual file systems, identical paths to certain components, reuse functionality, similar use of steganography, use of LUA scripts,” the researchers said. and an overall similar design.” , describing the malware’s development as “rapid and ongoing.”
As of this writing, the current working version of Radamanthys is 0.5.2, according to the threat actor’s Telegram channel.
Check Point’s analysis of versions 0.5.0 and 0.5.1 reveals a new plug-in system that effectively makes it more of a Swiss Army knife, signaling a shift toward modularity and customization. This also allows stealer clients to deploy additional tools tailored to their targets.
Stealer components are both active, capable of opening processes and injecting additional payloads designed to facilitate information theft, and passive, designed to search and parse specific files to retrieve saved credentials.
Another noteworthy aspect is the use of Lua script runner, which can load up to 100 Lua scripts to run programs from cryptocurrency wallets, email proxies, FTP services, note-taking apps, instant messaging, VPNs, two-factor authentication Steal as much information as possible from apps and password managers.
Version 0.5.1 goes a step further, following in the footsteps of Lumma Stealer, adding Clipper functionality to change clipboard data that matches a wallet address, thereby transferring cryptocurrency payments to an attacker-controlled wallet, as well as the option to restore Google account cookies.
Security researcher Aleksandra “Hasherezade” Doniec said: “The author continues to enrich the available feature set in an attempt to make it not just a stealer, but a multipurpose bot, capable of loading multiple extensions created by the distributor.”
“Added functionality, such as keylogger and gathering information about systems, is also a step towards making it a universal spyware.”
AsyncRAT code injected into aspnet_compiler.exe
Trend Micro details a new AsyncRAT infection chain that exploits a legitimate Microsoft process called aspnet_compiler.exe (used to precompile ASP.NET web applications) to secretly deploy a remote access Trojan via a phishing attack (RAT).
Similar to how Rhadamanthys injects code into a running process, the multi-stage process ultimately injects the AsyncRAT payload into the newly spawned aspnet_compiler.exe process, ultimately establishing contact with the command and control (C2) server.
“The AsyncRAT backdoor also has additional capabilities, depending on the embedded configuration,” said security researchers Buddy Tancio, Fe Cureg and Maria Emreen Viray. “This includes anti-debugging and analysis checks, persistent installation, and keylogging.”
It is also designed to scan specific folders within application directories, browser extensions, and user profiles to check for the presence of crypto wallets. Most importantly, we found that threat actors rely on Dynamic DNS (DDNS) to deliberately obfuscate their activities.
“The use of dynamic hosting servers allows threat actors to seamlessly update their IP addresses, thereby enhancing their ability to remain undetected within the system,” the researchers said.
