Rhadamanthys Information Stealer Uses Two Delivery Methods

Summary

Cyble Research & Intelligence Labs researchers discovered a new strain of malware dubbed Rhadamanthys Stealer that is spread through two delivery methods. Threat actors use spam emails to send false account statements and attempt to garner an immediate response. The emails contain a PDF attachment called “Statement.pdf” that, if clicked, displays a message with a link to download an update through Adobe Acrobat DC Updater to view the file. If downloaded and executed, the malware steals information from the victim’s system. Threat actors also deliver the information stealer via website redirects from Google Ads impersonating legitimate websites for downloads of popular remote-workforce software. They convince users to download the software disguised as legitimate installers for the respective application while the stealer malware is silently installed in the background on the victim’s system. Rhadamanthys Stealer is capable of collecting system information, browser history and information, and account credentials with a target for various crypto wallets, crypto-wallet browser extensions, FTP clients, email clients, file managers, password managers, VPN services, and messaging apps.

Recommendations

The NJCCIC advises users to avoid opening suspicious links or email attachments without verifying the sender's authenticity. Additionally, users are urged to only download software from the application’s official website or legitimate vendors and avoid pirated software from unofficial sources, such as Torrent and Warez websites. Further technical details and indicators of compromise (IOCs) can be found in the Cyble blog post.