Rhadamanthys (Trojan) – Malware

Overview

Rhadamanthys is a sophisticated piece of malware designed for information theft, showcasing a highly modular and adaptive architecture. First emerging as a significant threat in the cybersecurity landscape, Rhadamanthys has undergone numerous updates and enhancements, with its latest major release being version 0.5.0. This latest iteration, discovered in December 2023, exemplifies the malware’s evolution by incorporating advanced features and improvements over its predecessors.

The Rhadamanthys stealer operates through a multi-layered approach, leveraging a combination of custom executable formats and a plugin system to expand its functionality. The malware’s design allows it to execute a variety of malicious activities, including data exfiltration and system spying, by using an array of interconnected modules. Each module serves a specific purpose, from initial infection to the extraction of sensitive information, making Rhadamanthys a versatile and formidable threat in the cybercriminal arsenal.

Targets

Individual Targets working in multiple sectors like Information, Government agencies, etc. and also individual users in general

How they operate

At its core, Rhadamanthys employs a combination of tactics to gain initial access to its targets. This includes leveraging phishing emails with malicious attachments or links, which, once interacted with, initiate the malware’s payload. Once inside, Rhadamanthys uses various execution techniques to ensure its persistence on the infected system. It can deploy scripts or use legitimate system tools to execute its code, ensuring that its operations continue even after a system reboot or user intervention.

The malware’s persistence mechanism is particularly sophisticated. Rhadamanthys embeds itself into the system’s startup processes, making it difficult to remove through conventional means. It achieves this by modifying system registries and scheduling tasks that re-initiate its execution, thereby maintaining control over the compromised environment.

Privilege escalation is another critical aspect of Rhadamanthys’s operation. By exploiting known vulnerabilities or misconfigurations within the target system, it elevates its permissions, allowing it to perform actions that are typically restricted. This capability not only enhances its control over the infected system but also facilitates further attacks on other networked systems.

Defense evasion is a fundamental component of Rhadamanthys’s strategy. The malware is equipped with various techniques to avoid detection by security tools. It uses encryption to obscure its payload and employs anti-analysis techniques to hinder reverse engineering efforts. By disguising its presence and minimizing its footprint, Rhadamanthys evades standard security measures, making it harder to identify and neutralize.

In terms of credential access, Rhadamanthys targets stored credentials and session tokens to gain unauthorized access to additional systems and data. Its discovery phase involves mapping the network and identifying valuable targets, which are then subjected to further attacks. Lateral movement techniques allow Rhadamanthys to spread across networks, amplifying its impact and reach.

Collection and exfiltration are the final stages of Rhadamanthys’s operation. Once it has gathered sufficient data, including sensitive information and system credentials, it securely transmits this information to remote servers controlled by the attackers. This data can then be used for various malicious purposes, such as identity theft, financial fraud, or further cyber espionage activities.

MITRE Tactics and Techniques

Initial Access (TA0001)
Execution (TA0002)
Persistence (TA0003)
Privilege Escalation (TA0004)
Defense Evasion (TA0005)
Credential Access (TA0006)
Discovery (TA0007)
Lateral Movement (TA0008)
Collection (TA0009)
Exfiltration (TA0010)
Impact (TA0011)

References

• Rhadamanthys v0.5.0 – a deep dive into the stealer’s components