SteelFox and Rhadamanthys Malware Use Copyright Scams, Driver Exploits to Goal Victims

An ongoing phishing marketing campaign is using copyright infringement-related themes to trick victims into downloading a more moderen model of the Rhadamanthys info stealer since July 2024.

Cybersecurity agency Verify Level is monitoring the large-scale marketing campaign underneath the identify CopyRh(ight)adamantys. Focused areas embody america, Europe, East Asia, and South America.

“The marketing campaign impersonates dozens of corporations, whereas every e-mail is shipped to a particular focused entity from a distinct Gmail account, adapting the impersonated firm and the language per focused entity,” the corporate said in a technical evaluation. “Nearly 70% of the impersonated corporations are from the Leisure /Media and Expertise/Software program sectors.”

The assaults are notable for the deployment of model 0.7 of the Rhadamanthys stealer, which, as detailed by Recorded Future’s Insikt Group early final month, incorporates synthetic intelligence (AI) for optical character recognition (OCR).

The Israeli firm stated the exercise overlaps with a marketing campaign that Cisco Talos disclosed final week as focusing on Fb enterprise and promoting account customers in Taiwan to ship Lumma or Rhadamanthys stealer malware.

The assault chains are characterised by means of spear-phishing techniques that entail sending e-mail messages claiming purported copyright violations by masquerading as well-known corporations.

These emails are despatched from Gmail accounts and declare to be from authorized representatives of the impersonated corporations. The contents of the message accuse the recipients of misusing their model on social media platforms and request them to take away the involved photos and movies.

“The removing directions are stated to be in a password-protected file. Nevertheless, the connected file is a obtain hyperlink to appspot.com, linked to the Gmail account, which redirects the consumer to Dropbox or Discord to obtain a password-protected archive (with the password supplied within the e-mail),” Verify Level stated.

The RAR archive comprises three elements, a legit executable weak to DLL side-loading, the malicious DLL containing the stealer payload, and a decoy doc. As soon as the binary is run, it sideloads the DLL file, which then paves the best way for the deployment of Rhadamanthys.

Verify Level, which attributed the marketing campaign to a possible cybercrime group, stated that it is potential the menace actors have utilized AI instruments given the dimensions of the marketing campaign and the number of the lures and sender emails.

“The marketing campaign’s widespread and indiscriminate focusing on of organizations throughout a number of areas suggests it was orchestrated by a financially motivated cybercrime group moderately than a nation-state actor,” it stated. “Its international attain, automated phishing techniques, and various lures show how attackers constantly evolve to enhance their success charges.”

New SteelFox Malware Exploits Susceptible Driver

The findings come as Kaspersky make clear a brand new “full-featured crimeware bundle” dubbed SteelFox that is propagated through boards posts, torrent trackers, and blogs, passing off as legit utilities like Foxit PDF Editor, JetBrains, and AutoCAD.

The marketing campaign, courting again to February 2023, has claimed victims internationally, notably these positioned in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. It has not been attributed to any recognized menace actor or group.

“Delivered through refined execution chains together with shellcoding, this menace abuses Home windows providers and drivers,” safety researcher Kirill Korchemny said. “It additionally makes use of stealer malware to extract the sufferer’s bank card information in addition to particulars concerning the contaminated system.”

The place to begin is a dropper app that impersonates cracked variations of common software program, which, when executed, asks for administrator entry and drops a next-stage loader that, in flip, establishes persistence and launches the SteelFox DLL.

The admin entry is subsequently abused to create a service that runs an older model of WinRing0.sys, a {hardware} entry library for Home windows that is vulnerable to CVE-2020-14979 and CVE-2021-41285, thereby permitting the menace actor to acquire NTSYSTEM privileges.

“This driver can also be a element of the XMRig miner, so it’s utilized for mining functions,” Korchemny famous. “After initializing the motive force, the pattern launches the miner. This represents a modified executable of XMRig with junk code fillers. It connects to a mining pool with hardcoded credentials.”

The miner, for its half, is downloaded from a GitHub repository, with the malware additionally initiating contact with a distant server over TLS model 1.3 to exfiltrate delicate information from internet browsers, comparable to cookies, bank card information, shopping historical past, and visited locations, system metadata, put in software program, and timezone, amongst others.

“Extremely refined utilization of recent C++ mixed with exterior libraries grant this malware formidable energy,” Kaspersky stated. “Utilization of TLSv1.3 and SSL pinning ensures safe communication and harvesting of delicate information.”