The threat actors behind the Rhadamanthys data stealer have added new advanced features to the malware, including the use of artificial intelligence (AI) for optical character recognition (OCR) in so-called “open phrase pattern recognition.”
“This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a very strong threat to those dealing with cryptocurrencies.” – Recorded Future’s Insikt Group said in the analysis of version 0.7.0 of the malware.
“The malware can recognize images of initial phrases on the client side and send them back to the control server (C2) for further use.”
First found in the wild in September 2022. Rhadomantis has emerged as one of the most powerful information stealers touted under the Malware-as-a-Service (MaaS) model, and Lamma and others.
The malware continues to be active despite being banned by underground forums such as Exploit and XSS for targeting organizations in Russia and the former Soviet Union, and its developer named “kingcrete” (aka “kingcrete2022”) finds ways to sell new releases on Telegram, Jabber and TOX.
The Cyber Security Company That Must Be purchased by Mastercard for $2.65 billion, said the hijacker is sold as a subscription for $250 per month (or $550 for 90 days), which allows customers to collect a wide range of sensitive information from compromised nodes.
This includes system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data stored in various applications while taking steps to complicate sandbox analysis.
Version 0.7.0, the latest version of Rhodamanthys, released in June 2024, is a significant improvement over its predecessor, 0.6.0, which was released in February 2024.
It includes “a complete rewrite of the client and server frameworks, which improves the stability of the program’s execution,” notes Recorded Future. “Additionally, 30 wallet-cracking algorithms, AI-based graphics, and PDF recognition for phrase extraction have been added. The ability to highlight text has been extended to identify multiple stored phrases.’
Also included is a feature that allows threat actors to run and install Microsoft Software Installer (MSI) files in an apparent attempt to avoid detection by security solutions installed on the host. It also contains a setting to prevent reruns for a configured time period.
 |
| A high-level chain of infection with Rhodamantis |
A distinctive aspect of Rhadamanthys is its plugin system, which can extend its capabilities with a keylogger, cryptocurrency clipper, and reverse proxy functionality.
“Rhadamanthys is a popular choice for cybercriminals,” Recorded Future said. “Combined with its rapid development and innovative new features, this is a formidable threat that all organizations should be aware of.”
The development comes after Google-owned Mandiant detailed Lumma Stealer’s use of a customized indirect control flow to manipulate the execution of the malware.
“This technique interferes with all binary analysis tools, including IDA Pro and Ghidra, significantly hindering not only the reverse engineering process, but also automation tools designed to capture runtime artifacts and generate detections,” researchers Nino Isakovich and Chuong Dong said.
Rhadamanthys and Lumma and other malware families such as Meduza, StealC, Vidar and WhiteSnake were also found releasing updates in recent weeks to collect cookies from the Chrome web browser, effectively bypassing new security mechanisms such as application-specific encryption.
Additionally, the developers behind WhiteSnake Stealer have added the ability to extract CVC codes from credit cards stored in Chrome, highlighting the ever-evolving nature of the malware landscape.
That’s not all. Researchers have identified an Ready A malware company that deploys the AutoIt script, which then launches the victim’s browser kiosk mode to force them to enter their Google account credentials. Login information is stored in the browser’s credential store on disk for later collection by stealers like StealC.
These constant updates also follow the discovery of new ones download companies that deliver information to hijackers by forcing users to manually copy and execute PowerShell code to prove they’re human using a bogus CAPTCHA verification page.
As part of the campaign, users searching for video streaming services on Google are redirected to a malicious URL that prompts them to press Windows key + R to launch the Run menu, insert a coded PowerShell command, and execute it, according to CloudSEK, eFeel, A division of Palo Alto Networks 42and Secureworks.
An attack that eventually delivers steals like Lumma, StealC, and Vidar is an option Click Fix a company documented in recent months by ReliaQuest, Proofpoint, McAfee Labs and Trellix.
“This new attack vector poses a significant risk because it bypasses browser security controls by exposing the command line,” Secureworks said. “The victim is then directed to execute unauthorized code directly on their host.”
Phishing and malware campaigns have also been observed distributing Atomic macOS Stealer (AMOS), Rilideas well as a new variant of the malware called Snake keylogger (aka 404 Keylogger or KrakenKeylogger).
In addition, information stealers such as Atomic, Rhadamanthys and StealC have been at the center of more than 30 fraud campaigns organized by the cybercriminal gang known as Marco Polo commit cryptocurrency theft across platforms by impersonating legitimate brands in online gaming, virtual meeting and productivity software, and cryptocurrency.
“Marko Polo Primarily Targets Gamers, Cryptocurrency Influencers, and Software Developers Through Social Media Phishing, Emphasizing Its Focus on Tech-Savvy Victims,” Recorded Future saidadding that “tens of thousands of devices are likely to have been hacked worldwide.”
