In the world of cybercrime, a new malicious campaign has been discovered targeting users from Israel, utilizing the advanced Rhadamanthys virus. This virus is posing a serious threat to both organizations and regular users, showcasing intricate infection methods and powerful data theft capabilities.
Rhadamanthys made its first appearance towards the end of 2023 and swiftly spread through closed cybercrime forums using the MAAS model (malicious software as a service). The virus draws its name from the mythological character Radamant, the judge of the dead, highlighting its data collection abilities.
The attack commences with a well-crafted phishing email in Hebrew, masquerading as notifications from popular Israeli media outlets “Calcalist and Mako”, claiming copyright violations. The email is composed in a professional manner mimicking business communications, urging recipients to take action within 24 hours. Attached to the email is a RAR archive disguised as crucial legal documents.
Upon extracting the archive, three components are revealed: an executable file with a Hebrew name, a DLL file named “MSIMG32.DLL”, and an auxiliary file sized at 142.8 MB.
Upon executing the file, a multi-stage infection process initiates. The virus scans for analysis tools within the system and employs methods to evade them, injecting its code into legitimate Windows processes. Processes such as “Openwith.exe”, “Oobe-maintenance.exe”, and “dllhost.exe” have been targeted by the virus according to researchers.
Rhadamanthys can detect virtual machines and debuggers, employing temporary delays to bypass sandboxes. Additionally, it manipulates the Windows Registry for auto-launching at system startup.
Among Rhadamanthys’ malicious capabilities are the theft of passwords, cryptocurrency wallet data, system information, office documents, screenshots, and keystrokes.
Rhadamanthys utilizes encrypted communication channels to communicate with command servers, with the primary server for this campaign identified at IP address 103.68.109.208, utilizing ports 443 and 1630.
To safeguard against Rhadamanthys, experts recommend implementing robust email filters, utilizing sandboxes for analyzing attachments, providing regular anti-phishing training to employees, employing modern endpoint protection solutions, restricting lateral movement within networks, regularly backing up data, keeping systems updated, and enabling multi-factor authentication.
The emergence of Rhadamanthys underscores the increasing professionalism within the cybercrime ecosystem and emphasizes the necessity for continuous vigilance. This virus represents a significant threat, showcasing sophisticated data theft methods and evasive tactics against security measures.