The ongoing phishing campaign uses copyright-related themes to trick victims into downloading a newer version of the Rhadamanthys info stealer from July 2024.
Cybersecurity firm Check Point is tracking a massive campaign called CopyRh(ight)adamantys. Target regions include the US, Europe, East Asia, and South America.
“The company simulates dozens of campaigns, while each email is sent to a specific target organization from a different Gmail account, tailoring the simulated campaign and language to each target organization,” the company said in a statement. said in technical analysis. “Almost 70% of shell companies belong to the entertainment / media and technology / software sectors.”
The attacks are characterized by the deployment of version 0.7 of the Rhadamanthys hijacker, which, as in detail from Insikt Group Recorded Future early last month, includes artificial intelligence (AI) for optical character recognition (OCR).
The Israeli company said the activity overlaps with Cisco Talos opened last week as targeting Facebook business and advertising accounts in Taiwan to deliver the Lumma or Rhadamanthys malware.
Chain attacks are characterized by the use of phishing tactics, which involve sending e-mail messages claiming alleged copyright infringement by impersonating well-known companies.
These emails are sent from Gmail accounts and claim to be from legitimate companies impersonating themselves. The content of the message accuses the recipients of abusing their brand on social media and demands that they remove the relevant images and videos.
“Removal instructions are in a password-protected file. However, the attached file is a download link on appspot.com linked to a Gmail account, which redirects the user to Dropbox or Discord to download a password-protected archive. (with the password specified in the email),” Check Point reported.
A RAR archive contains three components: a legitimate executable file that is vulnerable to sideloading DLLs, a malicious DLL that contains a stealth payload, and a decoy document. After running the binary, it loads the DLL file, which then paves the way for Rhadamanthys to be deployed.
Check Point, which attributed the campaign to a likely cybercriminal group, said that given the scale of the campaign and the variety of lures and emails from the senders, the threat actors used artificial intelligence tools.
“The campaign’s widespread and indiscriminate targeting of organizations in multiple regions suggests that it was organized by a financially motivated cybercriminal group, not a nation state,” the report said. “Its global reach, automated phishing tactics and diverse lures demonstrate how attackers are continuously evolving to improve their success rates.”
The new SteelFox malware exploits a vulnerable driver
The findings come as Kaspersky shed light on a new “full-featured malware suite” dubbed SteelFox, which is being distributed through forum posts, torrent trackers and blogs, masquerading as legitimate utilities such as Foxit PDF Editor, JetBrains and AutoCAD.
The campaign, which began in February 2023, claimed victims all over the world, especially in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India and Sri Lanka. It has not been attributed to any known threat actor or group.
“Delivered via complex execution chains, including shellcode, this threat abuses Windows services and drivers,” security researcher Kirill Karchemny said. “It also uses malware to steal the victim’s credit card details as well as details about the infected device.”
The starting point is a dropper application that mimics jailbroken versions of popular software, which when executed requests administrator access and drops the next-stage loader, which in turn installs the save and launches the SteelFox DLL.
Administrator access is then abused to create a service that runs the old version WinRing0.syshardware access library for Windows vulnerable to CVE-2020-14979 and CVE-2021-41285thereby allowing a threat actor to gain NT\SYSTEM privileges.
“This driver is also a component of the XMRig miner, so it is used for mining,” Karchemny noted. “After initializing the driver, the sample starts the miner. This is a modified XMRig executable with spam code placeholders. It connects to the mining pool with hard-coded credentials.”
The miner, on the other hand, is downloaded from a GitHub repository, while the malware also initiates contact with a remote server via TLS version 1.3 to obtain sensitive data from web browsers, such as cookies, credit card details, browsing history, and visited locations. , system metadata, installed software, and time zone, among others.
“The sophisticated use of modern C++ combined with external libraries gives this malware enormous power,” Kaspersky said. “Using TLSv1.3 and SSL encryption ensures secure communication and collection of sensitive data.”