A recent cyber campaign has highlighted the sophisticated RHADAMANTHYS information stealer, particularly targeting Israeli users. This malware, originating from Russian-speaking cybercriminals, operates as a Malware-as-a-Service and excels in data exfiltration. The campaign utilizes social engineering tactics, employing Hebrew phishing emails disguised as legitimate notifications from trusted sources like Calcalist and Mako. These emails create a sense of urgency and fear of legal consequences by falsely claiming copyright infringement, manipulating users into taking immediate action that compromises their security.
Victims of the phishing scheme are prompted to download a locked RAR archive, which contains a suspicious executable named “תמונות מפרות זכויות יוצרים.exe.” Upon execution, the RHADAMANTHYS malware initiates a complex, multi-staged infection process, utilizing anti-analysis and anti-emulation techniques to evade detection within sandbox environments. The malware employs process injection into legitimate Windows processes to remain undetected and modifies the system registry for persistence, allowing it to maintain access and control over compromised systems.
RHADAMANTHYS demonstrates advanced capabilities, including the exfiltration of sensitive data such as user credentials, browsing history, and cryptocurrency information. It communicates with its command-and-control server using encrypted traffic over HTTPS, employing a non-standard port for stealth. The malware exhibits aggressive behavior across various system components, including DNS lookups, which may serve as evasive maneuvers or facilitate communication with its command-and-control infrastructure. Additionally, it alters autorun entries and tampering with browser settings to ensure persistent infections and regulate user interactions, showcasing the evolving sophistication of cyber threats.
To mitigate the risks associated with RHADAMANTHYS and similar threats, organizations must prioritize email security by implementing robust filtering and sandboxing measures. Increasing user awareness through phishing training is essential, alongside deploying advanced endpoint protection solutions. Regular backups, patch management, and enforcing multi-factor authentication are also critical strategies for safeguarding sensitive information and ensuring the integrity of networks against such advanced malware attacks. As cybercriminals continue to innovate, a proactive and comprehensive defense approach is vital for protecting against the growing threat landscape.
Reference: