The Rhadamanthys information-stealing malware has undergone notable developments, with its creators releasing versions 0.5.0 and 0.5.1, showcasing a commitment to active and rapid evolution. Originally emerging in August 2022, Rhadamanthys is a C++ information stealer designed to target various credentials, including those related to email, FTP, and online banking services. Unlike some initial information-stealing competitors, Rhadamanthys opted for a subscription-based distribution model, utilizing channels such as malvertising, tainted torrent downloads, emails, and YouTube videos to reach its targets.
A significant enhancement introduced in version 0.5.0 is the implementation of a new plugin system, allowing greater customization and flexibility tailored to specific distribution needs. This modular approach enables cybercriminals to minimize their footprint by selectively loading plugins with the capabilities they require, adapting to different targets and evading security measures. A specific plugin included, known as ‘Data Spy,’ focuses on monitoring RDP login attempts and capturing the associated credentials, showcasing the malware’s versatility in espionage.
Version 0.5.0 also saw improvements in stub construction and the client execution process, addressing issues related to cryptocurrency wallet targeting, and enhancing data stealing from browsers. The malware loader underwent a rewrite, incorporating anti-analysis checks, an embedded configuration, and modules for the next stage (XS1). The XS1 loader unpacks various modules, five of which are new in this version, emphasizing evasion techniques. These modules play a crucial role in communicating with the command and control (C2) server, where additional modules, including both passive and active stealers, are obtained.
Passive stealers focus on less intrusive information gathering, combing through directories and monitoring applications for sensitive data exchanges. Active stealers, on the other hand, employ more invasive techniques, such as keylogging, screen capturing, and code injection into running processes to maximize data exfiltration. The malware’s development is showcased by the rapid release of version 0.5.1, which introduces compelling features like a Clipper plugin diverting crypto payments, Telegram notification options for exfiltrating wallet information, recovery of deleted Google Account cookies, and the ability to evade Windows Defender, including cloud protection, by cleaning its stub.
The continuous and active development of Rhadamanthys underscores its evolving capabilities and attractiveness to threat actors seeking a sophisticated and adaptable tool for their malicious campaigns. As the malware continues to add features, including those that enhance its evasion techniques and target a broader range of applications, it poses an ongoing threat to cybersecurity, requiring vigilant measures and updated defenses to counter its potential impact.
