Cybercriminals are constantly on the lookout for new ways to steal valuable data from organizations, and the latest tactic involves sending bogus copyright infringement emails as part of a phishing campaign. The Rhadamanthys infostealer malware is the tool of choice for these cybercriminals, with the latest version, Rhadamanthys 0.7, targeting organizations across multiple continents since July.
The phishing emails are designed to appear as though they are coming from media and technology companies, accusing the victims of copyright violations on their business Facebook pages. The email content includes threats of legal action and instructions for content removal, leading the victims to feel a sense of urgency and panic. The emails are sent from different Gmail accounts each time, adding to the sophistication of the scam.
When the victims extract the attachments from the email, they find a decoy PDF, an executable file, and a DLL containing the Rhadamanthys malware. Running the executable file triggers the deployment of the malware, which can then steal sensitive information from the victim’s computer. The use of AI capabilities for optical character recognition (OCR) in Rhadamanthys adds another layer of sophistication to the malware, allowing it to scan for specific files, including cryptocurrency wallet seed phrases.
Security researchers have noted that the AI capabilities used in Rhadamanthys are not as advanced as more recent models and are prone to errors. Despite this, the malware is still effective in stealing credentials, passwords, cookies, and other valuable data from victims. The phishing campaign has targeted organizations in countries such as the US, Israel, South Korea, and Spain, among others.
While previous suspicions pointed to state-sponsored actors behind the Rhadamanthys malware, Check Point Software suggests that lower-level criminals are the true operators due to the indiscriminate targeting and financially motivated tactics. Researchers at Cisco Talos and Recorded Future’s Insikt Group have published their analyses of the malware, highlighting the use of MSI files to execute malicious code and evade defense systems.
Defenders are advised to prioritize automation and AI in their defense strategies to counteract these phishing campaigns effectively. Technical details and indicators of compromise for detecting Rhadamanthys are available on the researchers’ blogs, providing essential information for organizations to protect themselves against this evolving threat. The use of sophisticated malware like Rhadamanthys serves as a reminder of the importance of staying vigilant and implementing robust cybersecurity measures to safeguard sensitive data from cybercriminals.