BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Rhadamanthys

65
Global rank
21 infographic chevron month
Month rank
16 infographic chevron week
Week rank
959
IOCs

Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes.

Stealer
Type
Unknown
Origin
26 September, 2022
First seen
16 April, 2024
Last seen

How to analyze Rhadamanthys with ANY.RUN

Type
Unknown
Origin
26 September, 2022
First seen
16 April, 2024
Last seen

IOCs

IP addresses
91.202.233.180
217.63.234.90
185.196.10.233
94.156.8.44
31.41.244.38
195.123.219.158
195.3.223.120
95.111.233.125
189.245.155.48
45.15.159.42
81.17.28.78
190.140.74.43
138.36.3.134
189.245.97.177
187.156.109.2
187.224.55.97
87.251.64.231
142.11.236.5
187.233.22.167
185.246.220.89
Hashes
1682a7f8f229e62c379fca3c6c989c748aef985e51fc6bcf76d06bde9b0484cf
e58e023032ae186acf32d80de52ae9878769f04f77ae6a3f8c28d549ad8e027f
60270e5c73ce8d344f09199e0cf262f46f121297d09b0ed02dedd102d10a2ab7
144b7fd5df09138c65c2357069d9522d78d4c77d77cfae9cdc33c727ff5ee2ad
385708ac9f7910f40d80fd20b03ea9f307684f879c170c9b8394153782125a05
bb99d82c785b174928e89e5895121c562b14888d03ca61ff93c0050af87b07fc
aea15de1d2755ed033575ffd61efc47489500d5eb80d790a5764b8c778f43806
8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f
e98666fc150e5d345ed957a4755bcb23529d17977c8da9920faaff25003f561d
7e7d63e3a65bdc7258d659d77b1e66ce07c834ba2897886682e383babfc68da6
24773d9f2d30534f3936dfecd045fc88176c22b748153ca3d7e7d09c88df5555
b6fbf6a0edd6938b1f202feec419341d21d47731ca16fa5b5eabe2672d24a454
92f8ab34d7e6a41dd7bfbfdedf73269950aba3f0ff0a8fec0aea049c81024cc6
ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6
64185e173d29c3c572c8ee4d0091aa8f500abf4c6083fd4a1596eb07420ed526
a8bcfa2b1f2c5da8ca82f364a2c0571cb173e71ccdfbb7c6e7614ed29d5495a2
8e5cce74ef320ec2ee182f1b0dee059fc63e671d3644a30e4104e87adc4a045f
b6fb589ad00fe12ff513ce95b756326ff3f0039fdfe29a27ec48f5b6b14e4ec9
20961f62913589b49b94b752bf24dea490fd3b420ee095b427f57cf4b5213bfa
6b30a9e2970db8c1ee23e6337c427889b132c416a26ad99c61d2a11791ee79bf
Domains
applereports.ddns.net
mail.officeemailbackup.com
indscpm.xyz
virtualbse.com
daikenn.club
mycasemembers.icu
8002.motorline.pw
inatekrin.ink
inkscapeapps.com
styleselect.com
elon-first.com
expresswebstores.com
duinvest.info
installwebex.online
bolibachan.com
scanner-ip-adv.com
installwebex.com
gptchatdownload.com
duncan-technologies.net
bedispio.wiki
URLs
http://162.33.178.106/gjntrrm/zznb2o.hgfq
http://179.43.142.201/img/favicon.png
http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd
http://amx155.xyz/a6ba5b1ae6dec5f7c/j5e4ok98.h44x9
http://212.193.30.32/upload/libssl.dll
http://193.42.33.123:443/wgetlist/in60fc.j42a
http://31.220.57.50/abctop/oy7xup.thms
http://8002.motorline.pw/api/9wcnem.x0vs
http://79.137.195.45:8080/api/purple
http://perfecto.ac.ug/ggkanor/0mv8dc.bqmu
http://185.224.129.51:8080/modlib/79q4x9.fkc9
http://8002.motorline.pw/api/mpnz0d.fxbz
http://185.224.129.51:8080/modlib/o6u3ke.661c
http://turkie.ac.ug/url/yk/rem.exe
http://api.mylangroups.com/api/59ywc1.5oic
http://144.76.33.241/fredom/YTmeta.api
http://185.224.129.51:8080/modlib/8q85xm.zmam
http://79.137.195.45:8080/api/magic
http://79.137.195.45:8080/api/hello
http://79.137.195.45:8080/api/CRYPTORPROLIV
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 156
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 547
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 298
comments 0

What is Rhadamanthys Stealer Malware

First observed in late 2022, Rhadamanthys is an advanced info-stealer that targets Windows platforms. It is distributed through the malware-as-a-service (MaaS) model. This, in conjunction with its extremely robust and diverse malicious capabilities contributes to the rising popularity of this malware.

Similar to threats like RedLine or Raccoon, utilizing this new strain, threat actors can extract user passwords and exfiltrate sensitive data from infiltrated systems. The info-stealer also presents a significant threat to various cryptocurrency platforms, where it's employed to seize user credentials and wallets.

Certain indicators suggest that Rhadamanthys stealer has the potential to evolve into a pervasive threat. Notably, the malware's initial launch demonstrated signs of meticulous planning. The individual who first introduced it on an underground forum, operating under the pseudonym "kingcrete2022", began building his account's reputation well in advance of the release announcement. This proactive strategy aimed to establish credibility and set the stage for the malware's introduction.

The tactic proved successful, as the debut post, which promoted Rhadamanthys as a "first-class" stealer, quickly gained momentum and attracted attention in the underground community.

As it stands, Rhadamanthys indiscriminately attacks targets worldwide, even reaching into the territories of the former USSR. The malware has been identified in several malicious spam and Google Ads campaigns, but more on this later in the article.

It should be noted, that Rhadamanthys stealer employs a design philosophy that aims to incorporate an expansive list of features. These features are not strategically targeted but rather prioritize extensive capability. For example, malware is, rather unnecessarily, equipped with capabilities to steal data from web browsers such as KMeleon and Pale Moon, and to steal cryptocurrency from obscure browser extensions like Firefox's Auvitas Wallet.

In terms of system information extraction, Rhadamanthys can capture a wide array of data. This includes:

-Computer name, username, RAM capacity, CPU cores, screen resolution

-Installed software, cookies, browsing history

-Saved credit cards and other sensitive information

Furthermore, Rhadamanthys targets credentials from a vast range of sources: FTP clients like Cyberduck and TotalCommander, mail clients such as Outlook and Thunderbird, and password managers like RoboForm and KeePass. It also has the capacity to extract information from VPN services, note-taking applications, messenger applications, and other services like Steam, TeamViewer, and SecureCRT.

Rhadamanthys shows a particular interest in cryptocurrency. One of its version updates had nearly half of its new features dedicated to exfiltrating and cracking cryptocurrency wallets. The list of targeted wallets is quite extensive and includes Auvitas, BitApp, Crocobit, Exodus, Finnie, ICONex, Metamask, and more.

In addition to the automatic actions, Rhadamanthys also allows for direct intervention by attackers. The malware offers a functionality to push new configurations to the “file grabbing” module, allowing specific files to be exfiltrated. For a more hands-on approach, attackers can execute hand-crafted PowerShell scripts on the victim machine. This added flexibility provides a high degree of control over the infected system.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Rhadamanthys Stealer Technical Details

Written in C++, Rhadamanthys employs a number of sophisticated techniques to ensure its stealth and efficacy. Its operational chain is usually divided into three components:

-the Dropper,

-the Rhadamanthys Loader (second shellcode)

-and the Rhadamanthys Stealer (Nsis module).

In one attack observed the wild, the Dropper initiated the process by executing the shellcode through a callback function. This bypassesed common security measures that track shellcode execution methods like CreateThread or CreateRemoteThread.

Next, the Rhadamanthys Loader, or the second shellcode, comes into play. This shellcode uses several evasion methods. It manipulates exception handling to maintain low visibility, creates a Mutex to simulate legitimate processes, and unhooks API calls to avoid detection. In addition to these, it is responsible for decrypting the malware configuration and managing its network functions.

Lastly, the Rhadamanthys Stealer, or the Nsis module, is activated. Some samples have the ability to manipulate AVAST’s AMSI-related modules to avoid detection. It is this component that ultimately executes the data theft.

Rhadamanthys Stealer Dynamic Analysis

Being a stealer, Rhadamanthys tries to operate as secretively as possible, remaining under the radar and avoiding detection. The malicious activity starts right after infection — Rhadamanthys extracts information from the system and tries to send it to the Command & Control servers.

The execution chain may vary a little — some versions of the Trojan have the ability to inject into system processes, while others simply execute themselves.

It also may delay execution and sleep for some time after infection or use utilities like PowerShell to run commands.

Rhadamanthys’s network traffic Rhadamanthys’s network traffic

Thanks to the network packets structure, Rhadamanthys can be detected by Suricata rules.

Rhadamanthys Stealer Distribution Methods

Rhadamanthys info-stealer employs a couple of key strategies to infiltrate systems. One of its infamous шstribution techniques involves hijacking Google ads, where it covertly replaces the original content with a link to the malware.

It also uses phishing webpages and malicious spam for propagation. In malspam campaigns, a PDF file triggers victims to download the malware. The PDF file was observed presenting a fake Adobe Acrobat DC software update prompt which, when clicked, initiates the execution of the malware.

In phishing-based distribution, the malware creators build fake webpages mimicking legitimate services like Zoom or AnyDesk. Links to these fraudulent sites are then spread via Google ads. These malicious sites facilitate the download of the Rhadamanthys infostealer disguised as a legitimate installer. Consequently, the target unknowingly downloads the malware without noticing the infection.

Conclusion

Boasting an extensive stealing feature set that may well be unmatched among similar types of malware, Rhadamanthys has the potential to emerge as a significant threat in the cybersecurity landscape. We strongly recommend analysts to delve into this threat while it's still relatively new on the scene.

Conveniently, dynamic analysis of Rhadamanthys can be easily carried out on platforms such as ANY.RUN — our cloud interactive sandbox allows for a deeper understanding of its execution process and facilitates the collection of valuable Indicators of Compromise (IOCs).

Investigating the nuances of Rhadamanthys not only aids in its containment but also prepares us for future threats that may adopt a similar design strategy.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy