The threat actors behind Rhadamanthys promote two other tools on their website, called the Elysium Proxy Bot and Crypt Service, despite being updated to support the ability of flagship information steelers to collect fingerprints and more on their devices and web browsers.
“Rhadamanthys was initially promoted through a post on the Cybercrime Forum, but it soon became clear that the author had more ambitious plans to connect with potential customers and build visibility.
First promoted by a threat actor named Kingcrete2022, Rhadamanthys has emerged as one of the most popular information steelers available under Lumma, Vidar, Stealc, and more recently Lumma, Vidar, Stealc, and more recently Malware as a Service (MAAS) model. The current version of Steeler is 0.9.2.
Over the years, steelers’ capabilities have gone far beyond simple data collection, representing a comprehensive threat to personal and corporate security. In an analysis of malware version 0.7.0 last October, recorded Future detailed the addition of a new artificial intelligence (AI) feature in optical character recognition (OCR) to capture cryptocurrency wallet seed phrases.
The latest findings from Checkpoint show that threat actors are rebranding themselves as “RHAD Security” and “Mythical Origin Lab” and selling what they offer as “intelligent solutions for innovation and efficiency.”
Rhadamanthys offers three tiered packages, starting from a self-hosted version of $299 per month to $499 per month with additional perks like preferred technical support, servers, and advanced API access. Leads can also purchase enterprise plans by contacting their sales team directly.
“The combination of branding, product portfolio and pricing structures suggests that the authors treat Rhadamanthys as a long-term business venture rather than a side project,” Hasherezade said. “For advocates, this specialization shows that Rhadamanthys, which has a customer base and a growing ecosystem, is likely to stay here, indicating that it is important to track not only malware updates, but also the business infrastructure that maintains it.”
Like Lumma version 4.0, Rhadamanthys version 0.9.2 includes the ability to prevent leaking artifacts from leaking by showing users alerts that allow them to complete the malware execution without harming the running machine.
This is done to prevent malware distributors from spreading early executables into their plain-unprotected formats, in order for malware distributors to reduce detection efforts and infect systems in the process. That being said, the alert messages may be the same for both steelers, but the implementation is completely different, and the checkpoint suggests “surface-level imitation.”
“In Lumma, opening and reading files is implemented via Raw Syscalls, and message boxes are performed via Ntraiseharderror.” “In Rhadamanthys, raw syscalls are not used and the same messagebox is displayed by messageboxw. Both loaders are obfuscated, but the obfuscation pattern is different.”
Other updates to Rhadamanthys include minor adjustments to the custom XS format used to ship executable modules, and checks performed to see if the malware needs to continue running on the host, and the obfuscated configuration is embedded. The changes also extend to obfuscating the name of the module and flying under the radar.
One of the modules previously known as Strategy is responsible for a series of environmental checks to ensure that they are not running in a sandbox environment. Additionally, it checks the running process against a list of prohibited processes, retrieves the current wallpaper, and checks it against hardcoded ones representing the triage sandbox.
It also checks whether the current username matches something similar to what is used for the sandbox, checks whether the machine’s HWID (hardware identifier) is compared to a predefined list, and checks for the presence of the sandbox. Only when all these checks are passed will the sample establish a connection with the Command and Control (C2) server to get the core components of the Steeler.
The payload is hidden using extracted, decrypted, and launched steganography techniques, either as WAV, JPEG, or PNG files. It is worth noting that decrypting a package from a PNG requires an agreed shared secret at the early stages of C2 communication.
The Stealer module incorporates a LUA runner that provides additional plugins written in a programming language to facilitate data theft and to implement fingerprints on a wide range of devices and browsers.
“The latest variants represent evolution rather than revolution. Analysts should update their configuration parsers, monitor PNG-based payload delivery, track changes in Mutex and bot ID formats, and hope for further cancellation of obfuscation as the tools catch up,” Check Point said.
“Currently, development is slower and more stable. The core design remains intact, focusing on improvements such as new steeler components, changing obfuscation and more advanced customization options.”
Source link
