An up to date model of an information-stealing malware referred to as Rhadamanthys is being utilized in phishing campaigns concentrating on the oil and gasoline sector.
“The phishing emails use a singular car incident lure and, in later levels of the an infection chain, spoof the Federal Bureau of Transportation in a PDF that mentions a big tremendous for the incident,” Cofense researcher Dylan Duncan stated.
The e-mail message comes with a malicious hyperlink that leverages an open redirect flaw to take the recipients to a hyperlink internet hosting a supposed PDF doc, however, in actuality, is a picture that, upon clicking, downloads a ZIP archive with the stealer payload.
Written in C++, Rhadamanthys is designed to determine connections with a command-and-control (C2) server so as to harvest delicate information from the compromised hosts.
“This marketing campaign appeared inside days of the regulation enforcement takedown of the LockBit ransomware group,” Duncan stated. “Whereas this might be a coincidence, Development Micro revealed in August 2023 a Rhadamanthys variant that got here bundled with a leaked LockBit payload, alongside a clipper malware and cryptocurrency miner.
“The menace actors added a mix of an data stealer and a LockBit ransomware variant in a single Rhadamanthys bundle, presumably indicating the continued evolution of the malware,” the corporate famous.
The event comes amid a gentle stream of latest stealer malware households like Sync-Scheduler and Mighty Stealer, whilst current strains like StrelaStealer are evolving with improved obfuscation and anti-analysis methods.
It additionally follows the emergence of a malspam marketing campaign concentrating on Indonesia that employs banking-related lures to propagate the Agent Tesla malware to plunder delicate data equivalent to login credentials, monetary information, and private paperwork.
Agent Tesla phishing campaigns noticed in November 2023 have additionally set their sights on Australia and the U.S., in response to Verify Level, which attributed the operations to 2 African-origin menace actors tracked as Bignosa (aka Nosakhare Godson and Andrei Ivan) and Gods (aka GODINHO or Kmarshal or Kingsley Fredrick), the latter of whom works as an online designer.
“The principle actor [Bignosa] seems to be part of a gaggle working malware and phishing campaigns, concentrating on organizations, which is testified by the US and Australian electronic mail enterprise databases, in addition to people,” the Israeli cybersecurity firm stated.
The Agent Tesla malware distributed by way of these assault chains have been discovered to be secured by the Cassandra Protector, which helps shield software program applications in opposition to reverse-engineering or modification efforts. The messages are despatched by way of an open-source webmail instrument referred to as RoundCube.
“As seen from the outline of those menace actors’ actions, no rocket science diploma is required to conduct the cyber crime operations behind one of the vital prevalent malware households within the final a number of years,” Verify Level stated.
“It is an unlucky course of occasions brought on by the low-entry stage threshold in order that anybody prepared to impress victims to launch the malware by way of spam campaigns can achieve this.”