An updated version of information-stealing malware called Rhadamanthys is being used in phishing campaigns targeting the oil and gas industry.
“The phishing emails use a lure unique to car accidents and, at later stages of the infection chain, spoof the Federal Bureau of Transportation into a PDF that mentions a significant fine for the accident,” the researcher said by Cofense Dylan Duncan.
The email message arrives with a malicious link that takes advantage of an open redirect flaw to take recipients to a link that hosts a supposed PDF document, but, in reality, it is an image that, when clicked, downloads a ZIP archive with the thief’s payload.
Written in C++, Rhadamanthys is designed to establish connections with a command and control (C2) server in order to collect sensitive data from compromised hosts.
“This campaign appeared just days after law enforcement took down the LockBit ransomware group,” Duncan said. “While this may be a coincidence, Trend Micro revealed in August 2023 a variant of Rhadamanthys that came bundled with a leaked LockBit payload, along with a clipper malware and a cryptocurrency miner.
“Threat actors have added a combination of an information stealer and a LockBit ransomware variant into a single Rhadamanthys package, perhaps indicating the continued evolution of the malware,” the company said. noticed.
Development occurs in a constant stream of new stealer malware families such as Sync-Scheduler and Powerful thiefalthough existing strains like StrelaStealer are evolving with improved obfuscation and anti-analysis techniques.
It also follows the emergence of a malspam campaign against Indonesia that uses banking-related lures to spread Agent Tesla malware to plunder sensitive information such as login credentials, financial data and personal documents.
Agent Tesla phishing campaigns observed in November 2023 also targeted Australia and the United States, according to Check Point, which attributed the operations to two threat actors of African origin identified as Bignosa (aka Nosakhare Godson and Andrei Ivan) and Gods (aka GODINHO or Kmarshal or Kingsley Fredrick), the latter of whom works as a web designer.
“The main actor [Bignosa] appears to be part of a group that runs malware and phishing campaigns, targeting organizations, as evidenced by US and Australian commercial email databases, as well as individuals,” the Israeli cybersecurity firm said.
Agent Tesla malware distributed via these attack chains has been found to be protected by Cassandra Protector, which helps protect software programs from reverse engineering or modification attempts. Messages are sent via an open source email tool called RoundCube.
“As seen from the description of the actions of these threat actors, no degree in rocket science is needed to conduct the cybercrime operations behind one of the most prevalent malware families in recent years,” Check Point said.
“This is an unfortunate turn of events caused by the low entry threshold, so anyone willing to provoke victims into launching malware via spam campaigns can do so.”