A sneaky new info stealer is sliding onto user machines via website redirects from Google Ads that pose as download sites for popular remote-workforce software, such as Zoom and AnyDesk.

Threat actors behind the new malware strain, "Rhadamanthys Stealer" — available for purchase on the Dark Web under a malware-as-a-service model — are using two delivery methods to propagate their payload, researchers from Cyble revealed in a blog post published Jan. 12.

One is through carefully crafted phishing sites that impersonate download sites not only for Zoom but also AnyDesk, Notepad++, and Bluestacks. The other is through more typical phishing emails that deliver the malware as a malicious attachment, the researchers said.

Both delivery methods pose a threat to the enterprise, as phishing combined with human gullibility on the part of unsuspecting corporate workers continues to be a successful way for threat actors "to gain unauthorized access to corporate networks, which has become a serious concern," they said.

Indeed, an annual survey by Verizon on data breaches found that in 2021, about 82% of all breaches involved social engineering in some form, with threat actors preferring to phish their targets via email more than 60% of the time.

"Highly Convincing" Scam

Researchers detected a number of phishing domains that the threat actors created to spread Rhadamanthys, most of which appear to be legitimate installer links for the various aforementioned software brands. Some of the malicious links they identified include: bluestacks-install[.]com, zoomus-install[.]com, install-zoom[.]com, install-anydesk[.]com, and zoom-meetings-install[.]com.

"The threat actors behind this campaign … created a highly convincing phishing webpage impersonating legitimate websites to trick users into downloading the stealer malware, which carries out malicious activities," they wrote.

If users take the bait, the websites will download an installer file disguised as a legitimate installer to download the respective applications, silently installing the stealer in the background without the user knowing, the researchers said.

In the more traditional email aspect of the campaign, attackers use spam that leverage the typical social engineering tool of portraying an urgency to respond to a message with a financial theme. The emails purport to be sending account statements to recipients with a Statement.pdf attached that they are advised to click on so they can reply with an "immediate response."

If someone clicks on the attachment, it displays a message indicating that it's an "Adobe Acrobat DC Updater" and includes a download link labelled "Download Update." That link, once clicked on, downloads a malware executable for the stealer from the URL "https[:]\\zolotayavitrina[.]com/Jan-statement[.]exe" into the victim machine's Downloads folder, the researchers said.

Once this file is executed, the stealer is deployed to lift sensitive data such as browser history and various account log-in credentials — including specific technology to target crypto-wallet — from the target's computer, they said.

The Rhadamanthys Payload

Rhadamanthys acts more or less like a typical info stealer; however, it does have some unique features that researchers identified as they observed its execution on a victim's machine.

Though its initial installation files are in obfuscated Python code, the eventual payload is decoded as a shellcode in the form of a 32-bit executable file compiled with Microsoft visual C/C++ compiler, the researchers found.

The shellcode's first order of business is to create a mutex object aimed at ensuring that only one copy of the malware is running on the victim's system at any given time. It also checks to see if it's running on a virtual machine, ostensibly to prevent the stealer from being detected and analyzed in a virtual environment, the researchers said.

"If the malware detects that it is running in a controlled environment, it will terminate its execution," they wrote. "Otherwise, it will continue and perform the stealer activity as intended."

That activity includes collecting system information — such as computer name, username, OS version, and other machine details — by executing a series of Windows Management Instrumentation (WMI) queries. That's followed up by a query of the directories of the installed browsers — including Brave, Edge, Chrome, Firefox, Opera Software, and others — on the victim’s machine to search for and steal browser history, bookmarks, cookies, auto-fills, and login credentials.

The stealer also has a specific mandate to target various crypto wallets, with specific targets such as Armory, Binance, Bitcoin, ByteCoin, WalletWasabi, Zap, and others. It also steals data from various crypto-wallet browser extensions, which are hardcoded in the stealer binary, the researchers said.

Other applications targeted by Rhadamanthys are: FTP clients, email clients, file managers, password managers, VPN services, and messaging apps. The stealer also captures screenshots of the victim’s machine. The malware eventually sends all the stolen data to the attackers' command-and-control (C2) server, the researchers said.

Dangers to the Enterprise

Since the pandemic, the corporate workforce has become overall more geographically dispersed, posing unique security challenges. Software tools that make it easier for remote workers to collaborate — like Zoom and AnyDesk — have become popular targets not only for app-specific threats, but also for social engineering campaigns by attackers that want to capitalize on these challenges.

And while most corporate workers by now should know better, phishing remains a highly successful way for attackers to gain a foothold in an enterprise network, the researchers said. Because of this, Cybel researchers recommend that all enterprises use security products to detect phishing emails and websites across their network. These should also be extended to mobile devices accessing corporate networks, they said.

Enterprises should educate employees on the dangers of opening email attachments from untrusted sources, as well as downloading pirated software from the Internet, the researchers said. They should also reinforce the importance of using strong passwords and enforce multifactor authentication wherever possible.  

Finally, Cyble researchers advised that as a general rule of thumb, enterprises should block URLs — such as Torrent/Warez sites — that can be used to spread malware.