A new sneak attack is hitting the computer systems of corporate workers by redirecting users to fake download sites for popular productivity software, such as Zoom. Researchers at Cyble revealed that the attackers behind the new strain, which is known as Rhadamanthys Stealer, are using two different delivery methods to spread their payload.
One method involves using carefully crafted phishing websites that are designed to look like they’re from legitimate download sites, such as Microsoft’s Zoom. The other is by sending out fake emails that are designed to infect users.
The researchers noted that those two delivery methods allow attackers to access corporate networks without authorization. A survey conducted by Verizon in 2021 revealed that almost all of the data breaches that were reported that year involved social engineering. More than 60% of the time, the attackers used email to trick their victims.
A Convincing Scam
The researchers detected a wide variety of phishing domains that were created to target Rhadamanthys victims. Some of these are designed to look like they are from legitimate websites that are linked to software brands such as Microsoft, Amazon, and Zoom.
The researchers noted that the attackers behind this campaign are using a highly convincing website to trick their victims into downloading harmful software. The websites will then download an installer that is disguised as a legitimate one, silently installing the illicit software.
The attackers then use social engineering techniques to create a compelling message that they can use to trick their victims into clicking on a link. In this case, the attackers are using a financial theme to send out an email with a Statement.pdf attachment. After the file is executed, the attackers can access the victims’ computer data, such as their browser history and account login credentials.
The Rhadamanthys Payload
The researchers noted that Rhadamanthy’s is similar to other data snatchers. However, it has unique features that allow it to perform different actions. One of these features is that the payload is encoded in a shellcode, which is a 32-bit file that’s compiled using Microsoft’s C/C++ compiler.
One of the first features of the shellcode is a mutex object, which is designed to prevent the snatcher from running on the victims’ computers at all times. It also tries to analyze the system for signs of the attacker using a virtual machine.
The attackers then perform various actions to collect numerous details about the victims’ computers, such as their OS version, computer name, and password. They then use the system information to search for and steal various browser details, such as their login credentials, history, and cookies.
The researchers noted that the snatcher has a specific target list, which includes various crypto wallets such as Bitcoin, Binance, and Armory. It also collects data from multiple browser extensions for crypto wallets.
Due to the emergence of the pandemic, the number of corporate workers has become more dispersed, which has created unique security issues. Software tools that help remote workers work more efficiently have become popular targets for attackers.
Despite the widespread awareness of the importance of avoiding phishing scams, researchers noted that it is still a highly effective way for attackers to get into an organization’s network. Therefore, they recommend that all companies use security products to prevent their employees from getting infected by phishing emails.
Besides using security products, the researchers also recommend that companies educate their employees about the risks associated with opening email attachments and downloading pirated software. They should additionally implement multifactor authentication and require strong passwords.