Cofense Intelligence has detected a sophisticated campaign targeting the Oil and Gas industry, leveraging the advanced Rhadamanthys Stealer, a newly emerged Malware-as-a-Service (MaaS) tool. This campaign’s emergence shortly after the takedown of the LockBit ransomware group suggests a rapid evolution in cybercriminal tactics. Employing various phishing techniques, such as open redirects and interactive PDFs hosted on legitimate domains like Google Maps and Google Images, attackers lure victims into downloading the Rhadamanthys Stealer.
The Rhadamanthys Stealer, written in C++, implements a range of features to facilitate its data theft capabilities, including the extraction of device information, document files, cryptocurrency wallets, and credentials stored in applications and browsers. Notably, the malware recently received a significant update to version 5.0, offering threat actors enhanced customization options and additional measures to counter security defenses and exploit vulnerabilities. This advanced functionality underscores the severity of the threat posed by the Rhadamanthys Stealer and its potential impact on organizations within the Oil and Gas sector.
The campaign’s modus operandi involves initiating with phishing emails containing vehicle incident reports, leading victims to interact with embedded links that ultimately redirect them to download the Rhadamanthys Stealer. Upon execution, the malware establishes a connection with a command and control (C2) server, enabling the exfiltration of stolen credentials, cryptocurrency wallets, and sensitive information. The high volume of phishing emails employing these tactics suggests a concerted effort by threat actors to bypass secure email gateways and deliver the malicious payload.
