Rhadamanthys Stealer: MaaS Malware Hits Oil & Gas

Rhadamanthys Stealer campaign
Vehicle incident-themed phishing email delivering Rhadamanthys Stealer

Cofense Intelligence has identified a highly advanced phishing campaign aimed directly at the Oil and Gas sector. This campaign delivers the Rhadamanthys Stealer, an advanced Malware-as-a-Service (MaaS), through a complex and deceptive strategy that includes a unique vehicle incident lure, spoofing the Federal Bureau of Transportation. Occurring in the wake of the LockBit Ransomware group’s takedown by law enforcement, this campaign showcases the evolving threat landscape and the lengths to which cybercriminals will go to infiltrate industry-specific targets.

Breakdown of the Attack

Infection chain of the phishing campaign | Image: Cofense

The campaign, discovered on February 21st, 2024, employs an array of sophisticated tactics, techniques, and procedures (TTPs) designed to circumvent secure email gateways (SEGs) and other security defenses, ensuring high success rates in email delivery to targets. This orchestrated attack not only indicates a high level of premeditation but also highlights the continuous innovation among threat actors.

Key aspects of this campaign include:

Vehicle incident-themed phishing email delivering Rhadamanthys Stealer | Image: Cofense

  • Unique Lures and Spoofs: Utilizing a vehicle incident as a lure, the phishing emails in later stages spoof the Federal Bureau of Transportation, complete with mentions of significant fines, to elicit urgent responses from recipients. Each phishing email is carefully worded to create a sense of panic and urgency. Subject lines like “Urgent: Incident Implicating Your Car” and “Attention Needed: Your Vehicle’s Collision” are combined with phrases like “immediate,” “required,” and “legal action” to make victims act quickly, without careful consideration.
  • Disguising Malicious Intent: To bypass security filters, attackers leverage open redirects on trusted Google domains like Google Maps and Google Images. They further employ URL shorteners, transforming long, suspicious-looking links into seemingly harmless, shortened versions.
  • Impersonating Authority: The pinnacle of their deception lies in a spoofed PDF document masquerading as an official notice from the Federal Bureau of Transportation. This document details a fictitious incident and threatens hefty fines, adding an extra layer of intimidation.

Rhadamanthys Stealer: A Potent Data Thief

Rhadamanthys Stealer stands out in the crowded field of information-stealing malware due to its sophistication and recent upgrades, including improved stealing capabilities and evasion tactics. Offered as a MaaS, it represents a potent tool for cybercriminals targeting sensitive information, such as credentials and cryptocurrency wallets.

The timing of this campaign, shortly following the law enforcement takedown of the notorious LockBit ransomware group, suggests a potential shift in tactics. Threat actors previously relying on LockBit’s RaaS (Ransomware-as-a-Service) model may now be turning to other malware distribution methods, including info-stealers like Rhadamanthys.

Call to Action

Organizations in the Oil & Gas sector must take immediate action to review security protocols, educate their workforce, and patch systems to mitigate the risk of this advanced threat. This campaign serves as a warning to all industries that threat actors are constantly evolving their methods – requiring continuous vigilance and a multi-layered security approach.