The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Rhadamanthys Targeting ONG Sector

Mar 8, 2024 1:36:26 PM / by The Hivemind

RHADAMANTHYSVerticals Targeted: Oil & Gas, Energy, Critical Infrastructure

Executive Summary

Rhadamanthys infostealer was recently observed in a high-volume phishing campaign targeting the oil and gas sector.

Key Takeaways

  • Rhadamanthys, an infostealer, is malware as a service (MaaS) available on the dark web.
  • It was recently observed targeting the oil and gas sector, making it a threat to critical infrastructure. 
  • The campaign leverages a high volume of phishing.
  • Rhadamanthys was recently updated, with industry reports from January detailing the malware’s new features. 

What is Rhadamanthys?

Rhadamanthys, an infostealer, is malware as a service (MaaS) available on the dark web. It was recently observed targeting the oil and gas sector, making it a threat to critical infrastructure. Cofense recently reported on this activity.

Rhadamanthys was recently updated, with industry reports from January detailing the malware’s new features. The campaign, which leverages a high volume of phishing, uses the updated version of Rhadamanthys. Cofense noted the campaign began within days of the Operation Chronos takedown of LockBit. Cofense researchers also stated that it is unusual to see such an obscure malware family being used in such an advanced campaign.

The campaign’s phishing emails use a vehicle incident report to trick victims into clicking on an embedded link. The link abuses an open redirect on a legitimate domain, leading to a series of redirects that land them on an interactive PDF file hosted on docptypefinder[.]info. The file is a clickable image that reaches out to a GitHub repository, in turn downloading a ZIP archive containing the Rhadamanthys executable. When the victim launches the executable, the stealer unpacks and connects to the C2.

Rhadamanthys, which is written in C++,  was first seen in the wild in 2022. It targets Windows systems, including both X86 and X64 architectures. It consists of two components, a loader and the main module, which exfiltrates stolen credentials. Rhadamanthys steals credentials, cryptocurrency wallets, and other sensitive information, such as device information and documents and sends it to the C2. The recent Rhadamanthys update allows threat actors to customize the malware’s behavior and includes anti-security and anti-analysis measures and the ability to exploit vulnerabilities. 

IOCs

PolySwarm has multiple samples of Rhadamanthys.

 

9d3e7d4692c6af50fd2a5f53aadff9af93494ec76523ecb5d8d58c0bb7239f0d

5578a78576a35a6a95c8a5372e7d498fd4d2a4d5d7abe7369a14307d578192c6

7cebc71cd9ea4bb12f67f86c200dc086e29601b2d1d31e75eac4b0ec5ef3ccb5

c92a1c008e7e1eb7e62a0dd9ce5951d4e1de4fb27361e0f245d51411f83e0085

1c7476c33f0d56e970dbfad87da96739d74bbd1928c4a044715ea75f61e72192

bdf72e1c0964b7a7b96651b278b6f8d4b42849c01ff2aa6c6844b5ac2a893f3b

c27c1e00bb778d222efa52a9dbb9335230052cd7eaacf34a8d28b4436aae580c

973f7971abc77c643b2026791672927cabf7bc8f0122f72364c95fbb192dc96a

 

You can use the following CLI command to search for all Rhadamanthys samples in our portal:

$ polyswarm link list -f Rhadamanthys

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Critical Infrastructure, Stealer, Phishing, Energy, ONG, Oil & Gas, Rhadamanthys

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More