An updated version of Rhadamanthys malware-as-a-service (MaaS) is being deployed against oil and gas companies, using an effective new bait with worrying success.
Cofense monitored the campaign, which uses emails and a PDF file disguised as Federal Bureau of Transportation communications, according to a new flash alert from email security analysts. There is no such office and it may be a mash-up of the Department of Transportation and the Bureau of Transportation Statistics, a purview.
“It is not clear why this specific sector [being targeted]but the campaign in its current form could be relevant across most industries if threat actors decide to change targets,” the author said Defense notice explained. “Even though the campaign was actively sending emails, it was successfully achieving its goals at an alarming rate.”
The campaign appeared a few days later Removing LockBit in February, analysts say. The latest version of Rhadamanthys, 5.0, was updated in early 2024 with improvements to its data evasion and data theft capabilities, Cofense added.
Phishing emails are also carefully crafted, the researchers pointed out. Phishers have created multiple inflammatory topics such as “Notify: Accident involving your vehicle” and “Attention Needed: Collision of your vehicle.”
“As strange as it may seem to use car crashes as phishing bait, the threat actors here have made immense efforts to ensure that their emails together with the infection chain affect the emotions of the recipient,” Cofense added. “Each body and subject of an email is different from the next, but can be summed up by notifying an employee of a car accident through a notification to the employer, possible legal action, or even a police contact notice order.”