RHADAMANTHYS: An In-Depth Analysis of a Sophisticated Stealer Targeting Israeli Users

RHADAMANTHYS

In the ever-evolving landscape of cyber threats, a new campaign targeting Israeli users has brought the sophisticated RHADAMANTHYS stealer into sharp focus. This article provides an extensive analysis of the infection chain, payload capabilities, and broader implications of this emerging threat, based on recent samples and dynamic analysis.

Background on RHADAMANTHYS

RHADAMANTHYS first emerged in the cybercrime underground in late 2023 as a sophisticated information stealer. It’s believed to be developed by Russian-speaking threat actors and is offered as a Malware-as-a-Service (MaaS) on exclusive forums. The name likely derives from Greek mythology, where Rhadamanthus was a wise king of Crete who became a judge of the dead in the underworld — perhaps a nod to the malware’s judgment-like data collection capabilities.

The Initial Lure

The attack vector leverages social engineering tactics, beginning with a meticulously crafted email in Hebrew. The message masquerades as communication from “Calcalist” and “Mako”, a prominent Israeli business newspaper and websites.

Key elements of the phishing email

1. Urgent subject line related to copyright violations
2. Professional language mimicking legitimate business correspondence
3. A sense of urgency, demanding action within 24 hours
4. Attachment disguised as important legal documents

This approach exploits human psychology known as Social engineering, playing on fears of legal troubles and time pressure to bypass the victim’s usual security considerations.

Malicious Attachment Analysis

The email includes a Locked RAR archive attachment in order to avoid detection. Upon extraction, the archive reveals three components

RAR archive attachment

1. Malicious Executable

• Filename: תמונות מפרות זכויות יוצרים.exe
• Size: 1,804,072 bytes
• SHA256: A7DBBAD8A1CD038E5AB5B3C6B1B312774D808E4B0A2254E8039036972AC8881A

2. DLL File

• Filename: msimg32.dll
• Size: 1,950,208 bytes
• SHA256: 48AAA2DEC95537CDF9FC471DBCBB4FF726BE4A0647DBDF6300FA61858C2B0099

3. Support file

• Size: 142,831,022 bytes
• SHA256: f3291a98446b3a24a7ccd4b44bc05bfd48502179835fe3429f81d211579f5a4b

The Infection Chain

When the victim executes the malicious file, it initiates a complex, multi-stage infection process characteristic of the RHADAMANTHYS malware family:

Initial Execution

• The malware checks for the presence of analysis tools or sandboxes.
• It may use anti-emulation techniques to evade automated analysis.

Process Injection

• RHADAMANTHYS injects its malicious code into legitimate Windows processes.
• Observed target processes include:
• OpenWith.exe
• OOBE-Maintenance.exe
• dllhost.exe

Anti-Analysis Techniques

• Virtual Machine Detection: Checks for artifacts of popular virtualization software.
• Debugger Detection: Attempts to identify if it’s being analyzed in a debugger.
• Time-based evasion: May use sleep calls or CPU-intensive loops to outlast sandboxes.

Persistence Mechanism

• Registry Modification: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*ChromeUpdate Value: “rundll32.exe C:\Users\admin\Documents\FirefoxData.dll,EntryPoint”
• This ensures the malware runs each time the system starts.

Data Exfiltration

RHADAMANTHYS targets a wide range of sensitive information, including:

• Web Browsers: Saved passwords, autofill data, browsing history
• Cryptocurrency: Wallet files and related data
• System Information: Detailed specs, installed software, running processes
• File System: Scans for documents with specific extensions (e.g., .doc, .pdf)
• Screenshots: Periodic captures of the victim’s desktop
• Keylogging: Captures keystrokes to steal additional credentials

Command & Control (C2) Communication

• Primary C2 IP: 103.68.109.208
• Ports Used: 443 (HTTPS), 1630 (non-standard)
• The malware uses encrypted communications to evade network based detection.

Additional Payload Delivery

• RHADAMANTHYS can act as a loader, potentially downloading and executing additional malware.

Technical Deep Dive

1. Network Behavior

• DNS Requests - The malware performs numerous DNS lookups, likely for evasion and to locate its C2 server.
• Suspicious Connections:
• 103.68.109.208:1630 (OpenWith.exe)
• 103.68.109.208:1630 (OOBE-Maintenance.exe)
• 103.68.109.208:443 (dllhost.exe)

2. File System Activity

• Creates numerous temporary files in %TEMP% and %APPDATA%
• Drops additional components, including “FirefoxData.dll”
• Extensive read operations on user directories, likely for data theft

3. Registry Modifications

• Numerous reads and writes to HKEY_CURRENT_USER
• Creates autorun entries for persistence
• Modifies browser-related registry keys

4. Process Manipulation

• Injects code into legitimate processes
• Creates child processes, often using LOLBins like cmd.exe

5. API Calls of Interest

• VirtualAllocEx: Used for process injection
• CreateRemoteThread: Executes injected code
• RegSetValueEx: Modifies registry for persistence
• CryptEncrypt/CryptDecrypt: Likely used for C2 communication

Yara Rule

A basic YARA rule to detect potential RHADAMANTHYS samples:

rule RHADAMANTHYS_Stealer {
    meta:
        description = "Detects RHADAMANTHYS stealer malware"
        author = "Maor Dayan"
        date = "2024-08-02"
    strings:
        $s1 = "FirefoxData.dll" ascii wide
        $s2 = "*ChromeUpdate" ascii wide
        $s3 = "OOBE-Maintenance.exe" ascii wide
        $hex1 = {48 8B C4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20}  // Common code pattern
    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of ($s*) and $hex1
}

Mitigation and Protection

1. Email Security — Implement robust email filtering and sandbox solutions to analyze attachments.
2. User Awareness — Conduct regular phishing awareness training for employees.
3. Endpoint Protection — Deploy and maintain up-to-date EDR/XDR solutions.
4. Network Segmentation — Limit lateral movement opportunities for attackers.
5. Regular Backups — Maintain offline backups of critical data.
6. Patch Management — Keep all systems and software up-to-date.
7. Application Whitelisting — Restrict execution to known, approved applications.
8. Multi-Factor Authentication — Implement MFA across all critical accounts and services.

Broader Implications

The emergence of RHADAMANTHYS in targeted attacks against Israeli users highlights several important trends:

1. Sophistication of MaaS: The malware’s advanced features demonstrate the increasing professionalism in the cybercrime ecosystem.
2. Localized Targeting: Tailoring attacks to specific regions with language-appropriate lures.
3. Blurred Lines: The capabilities of RHADAMANTHYS could be attractive to both cybercriminals and nation-state actors.
4. Evolution of Stealers: Moving beyond simple credential theft to comprehensive data exfiltration.

Conclusion

RHADAMANTHYS represents a significant evolution in the realm of information stealers. Its multi-stage infection process, robust anti-analysis features, and comprehensive data theft capabilities make it a formidable threat, particularly to users and organizations in Israel. As this malware family continues to evolve, it’s crucial for security professionals to stay informed about its tactics and implement layered defenses to mitigate the risk.

The targeted nature of this campaign against Israeli users also raises questions about potential geopolitical motivations behind the attacks. Whether driven by financial gain or espionage, RHADAMANTHYS serves as a stark reminder of the need for constant vigilance in our increasingly interconnected digital world.