New Cyber Threat: RHADAMANTHYS Infostealer Targets Israel
In the realm of cyber threats, a new malicious campaign has emerged targeting users in Israel, employing the advanced RHADAMANTHYS infostealer malware. This malware poses a significant threat to organizations and individuals, showcasing sophisticated infection methods and powerful data theft capabilities.
RHADAMANTHYS first appeared in late 2023 and began to rapidly spread on underground cybercriminal forums under the MaaS (Malware-as-a-Service) model. The malware is named after the mythological figure Rhadamanthus, a judge of the dead, highlighting its data-collecting abilities.
The attack starts with a meticulously crafted phishing email in Hebrew. The message, disguised as coming from well-known Israeli media outlets “Calcalist” and “Mako,” contains an urgent copyright infringement notice. The email is written in professional language, mimicking business correspondence, and urges action within 24 hours. Attached is a RAR archive, disguised as important legal documents.
Upon unpacking the archive, the potential victim is presented with three components: an executable file with a Hebrew name, a DLL file “msimg32.dll,” and an auxiliary file of 142.8 MB.
When the executable file is opened, a multi-stage infection process begins. The malware checks for the presence of analysis tools in the system and uses methods to evade them. It then injects its code into legitimate Windows processes. Among the processes examined by researchers, the following were targeted: “OpenWith.exe,” “OOBE-Maintenance.exe,” and “dllhost.exe.”
The malware quickly detects virtual machines and debuggers, using time delays to bypass sandboxes. It also makes changes to the Windows registry to ensure it runs at every system startup.
Notable malicious functions of RHADAMANTHYS include the collection of passwords, cryptocurrency wallet data, system information, office documents, screenshots, and keystrokes.
RHADAMANTHYS uses encrypted communication channels to interact with command servers. The primary server in the observed campaign was located at IP address 103.68.109.208, using ports 443 and 1630.
To protect against RHADAMANTHYS, it is recommended to implement reliable email filters, use sandboxes for analyzing attachments, conduct regular employee training on phishing, employ modern endpoint protection solutions, restrict lateral movement within the network, regularly back up data, install all updates and patches, and use multi-factor authentication.
The emergence of RHADAMANTHYS underscores the growing professionalism in the cybercriminal ecosystem and the need for constant vigilance. The malware represents a serious threat, demonstrating sophisticated data theft methods and evasion of security mechanisms.