Verticals Targeted: Oil & Gas, Energy, Critical Infrastructure
Executive Summary
Rhadamanthys infostealer was recently observed in a high-volume phishing campaign targeting the oil and gas sector.
Key Takeaways
- Rhadamanthys, an infostealer, is malware as a service (MaaS) available on the dark web.
- It was recently observed targeting the oil and gas sector, making it a threat to critical infrastructure.
- The campaign leverages a high volume of phishing.
- Rhadamanthys was recently updated, with industry reports from January detailing the malware’s new features.
What is Rhadamanthys?
Rhadamanthys, an infostealer, is malware as a service (MaaS) available on the dark web. It was recently observed targeting the oil and gas sector, making it a threat to critical infrastructure. Cofense recently reported on this activity.
Rhadamanthys was recently updated, with industry reports from January detailing the malware’s new features. The campaign, which leverages a high volume of phishing, uses the updated version of Rhadamanthys. Cofense noted the campaign began within days of the Operation Chronos takedown of LockBit. Cofense researchers also stated that it is unusual to see such an obscure malware family being used in such an advanced campaign.
The campaign’s phishing emails use a vehicle incident report to trick victims into clicking on an embedded link. The link abuses an open redirect on a legitimate domain, leading to a series of redirects that land them on an interactive PDF file hosted on docptypefinder[.]info. The file is a clickable image that reaches out to a GitHub repository, in turn downloading a ZIP archive containing the Rhadamanthys executable. When the victim launches the executable, the stealer unpacks and connects to the C2.
Rhadamanthys, which is written in C++, was first seen in the wild in 2022. It targets Windows systems, including both X86 and X64 architectures. It consists of two components, a loader and the main module, which exfiltrates stolen credentials. Rhadamanthys steals credentials, cryptocurrency wallets, and other sensitive information, such as device information and documents and sends it to the C2. The recent Rhadamanthys update allows threat actors to customize the malware’s behavior and includes anti-security and anti-analysis measures and the ability to exploit vulnerabilities.
IOCs
PolySwarm has multiple samples of Rhadamanthys.
9d3e7d4692c6af50fd2a5f53aadff9af93494ec76523ecb5d8d58c0bb7239f0d
5578a78576a35a6a95c8a5372e7d498fd4d2a4d5d7abe7369a14307d578192c6
7cebc71cd9ea4bb12f67f86c200dc086e29601b2d1d31e75eac4b0ec5ef3ccb5
c92a1c008e7e1eb7e62a0dd9ce5951d4e1de4fb27361e0f245d51411f83e0085
1c7476c33f0d56e970dbfad87da96739d74bbd1928c4a044715ea75f61e72192
bdf72e1c0964b7a7b96651b278b6f8d4b42849c01ff2aa6c6844b5ac2a893f3b
c27c1e00bb778d222efa52a9dbb9335230052cd7eaacf34a8d28b4436aae580c
973f7971abc77c643b2026791672927cabf7bc8f0122f72364c95fbb192dc96a
You can use the following CLI command to search for all Rhadamanthys samples in our portal:
$ polyswarm link list -f Rhadamanthys
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.