##### MALWARE/CYBER TOOLTHREAT ### By Insikt Group® ##### PROFILEANALYSIS September 26, 2024 # Rhadamanthys Stealer Adds Innovative AI Feature in Version 0.7.0 **Rhadamanthys Stealer v0.7.0** **Detections and preventative** **Rhadamanthys Stealer v0.7.0 is** **introduces AI-powered OCR** **measures unveiled for** **a global cyber threat with AI-** **capability, enabling the extraction of** **Rhadamanthys Stealer v0.7.0** **driven features and advanced** cryptocurrency seed phrases from provide an effective defense **evasion tactics, mainly targeting** images and demonstrating how AI is against this evolving threat, offering organizations across North and ----- ## Executive Summary Rhadamanthys is an advanced information stealer that first appeared in 2022. It is known for its rapid releases and has seen at least ten different releases since its inception. The malware is advertised and sold on underground forums, and despite being banned for allowing the targeting of Russian and/or former USSR entities, it is still being actively sold. The fee structure starts at $250 for 30 days of access, making it an affordable and attractive option for cybercriminals. Rhadamanthys is a full-featured information stealer that supports collecting system information, credentials, cryptocurrency wallets, browser passwords, cookies, and a wide range of other applications. It includes numerous anti-analysis techniques that complicate analysis efforts and make it difficult for the malware to run successfully in a sandbox environment. Insikt Group obtained and analyzed the most recent version of Rhadamanthys, 0.7.0, and noted many new features that have been added. The most innovative new feature is its ability to use AI (via optical character recognition [OCR]) to extract cryptocurrency wallet seed phrases from images automatically. This feature has client- and server-side components that allow Rhadamanthys to identify seed phrase image candidates on the client and fully extract the seed phrase after the image has been exfiltrated back to the malware's command-and-control server. Additionally, a new feature was added to allow threat actors to run and install Microsoft Software Installer (MSI) files, which may not be flagged as malicious by conventional detection systems. Rhadamanthys is a popular choice for cybercriminals. Coupled with its rapid development and innovative new features, it is a formidable threat all organizations should be aware of. Organizations are encouraged to implement the mitigation strategies outlined in this report. In addition to the mitigations, various detections are available to identify Rhadamanthys and a mutex kill switch is described in the report that can be used as a vaccine against current infections. Information stealers represent a significant threat to organizational security. The widespread practice of password reuse exacerbates this issue, as credentials stolen from personal accounts can often be leveraged to gain unauthorized access to corporate systems. For example, an attacker could retrieve an individual's personal email and password from a compromised social media account and then use that same password to infiltrate their professional email account, especially if the email address can be easily guessed or found on professional networking sites like LinkedIn. Additionally, the increasing overlap between personal and professional use of devices further complicates the security landscape. Employees frequently use work laptops for personal activities, inadvertently downloading infostealers through malicious advertisements or compromised websites. Similarly, when individuals log in to work accounts from personal devices, those credentials may become compromised if an employee or their family member unknowingly becomes infected with an infostealer. These scenarios underscore the critical need for robust cybersecurity measures, including 1 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- stringent password policies, regular employee training on safe browsing practices, and rigorous access controls to mitigate the risks posed by infostealers and compromised credentials. ## Key Findings - Rhadamanthys, now in its latest version, 0.7.0, is a rapidly evolving malware family that continuously updates with new features, making it a formidable weapon for cybercriminals. It is global, affecting various sectors and regions, with most targets in North and South America. - Insikt Group identified a killswitch to prevent Rhadamanthys from executing its stealers and extensions by setting known Rhadamanthys mutexes on a non-infected machine. - Rhadamanthys, leading the trend of incorporating AI into malware with client-side features like OCR for extracting seed phrases from images, demonstrates how AI is weaponized to enhance data theft and is expected to remain at the forefront of this evolving trend. - The threat actor “kingcrete2022", the developer of Rhadamanthys, is banned on both XSS and Exploit Forums. The ban was imposed because the threat actor had been accused of targeting Russian and/or former USSR entities. Currently, the threat actor relies on private messaging via TOX, Telegram, and Jabber to continue advertising new versions of the Rhadamanthys stealer. - Insikt Group has identified a new feature of Rhadamanthys involving the use of MSI packages, representing an additional defense evasion technique. MSI files, typically associated with legitimate software installations, often bypass security scrutiny because they are perceived as trustworthy and may not be detected by conventional systems. - Rhadamanthys has a built-in way to prevent re-execution within a configurable time frame. In version 0.7.0, the author updated this feature to make it tamper-proof through encryption and hashing. 2 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Background Rhadamanthys is an advanced information stealer that first appeared in the cybercrime ecosystem in September 2022. The malware is attributed to an individual or group known under the alias “kingcrete2022”. kingcrete2022 started advertising the malware on various special-access forums, including XSS, Exploit, Best Dark, Opencard, and Center-Club, with the following fee structure. **License Type** **30 Days** **90 Day** Normal $250 $550 VIP $300 $750 **_Table 1: Rhadmanthys fee structure (Source: Recorded Future)_** The threat actor used different handles on different forums, including “kingcrete2022” on Exploit (currently banned for unknown reasons), “freeide” on XSS (currently banned for targeting Russian and/or former USSR entities, as shown in Figure 1 below), “kingcrete” on Opencard and Best Dark, and “rhadamanthys” on Center-Club. The threat actor uses TOX (5BCB80569AC334FDA5B7806ABC05DDFE3AF8F126E08D0EA6D21DA3C13B43F164188C3EEE89E9), an open-source, free, and encrypted communication protocol favored by many Russian- and English-speaking threat actors as a contact method. The threat actor also uses Telegram (@kingcrete), Jabber (rhadamanthys@exploit[.]im), and kingcrete2022@thesecure[.]biz for communication. Based on a search for the threat actor’s TOX ID in the Recorded Future® Intelligence Cloud, additional advertisements for the Rhadamanthys under different handles, possibly operated by the same threat actor, are listed in the table below. The Telegram handles listed below advertised malware logs for sale, which indicated that the sale of the logs for Rhadamanthys was part of the threat actor’s business model. 3 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) |License Type|30 Days|90 Day| |---|---|---| |Normal|$250|$550| |VIP|$300|$750| ----- **_Figure 1: The handle “Freeide” used by the threat actor kingcrete2022 on XSS is banned for targeting Russian and/or former_** _USSR entities (Source: XSS)_ **Source** **Handles** XSS freeide, “DaF0x”, “Free IDE” Exploit kingcrete2022 Best Dark kingcrete Opencard kingcrete SkyNetZone kingcretekingcrete Center-club rhadamanthys Best Hack Rhadamanthys Telegram “dailyfreshlogs”, “freshtrafficandlogs”, “TrafficLogsMalwaresinfo” **_Table 2: Rhadmanthys developer handles (Source: Recorded Future)_** The handle “superman8848” has also been associated with the advertisement of the Rhadamanthys as early as August 2022 on both XSS and Exploit. The accounts were banned on both forums. It is possible that “superman8848” and “kingcrete2022” are operated by the same threat actor. A search of “superman8848” on Google yielded a GitHub account, a Reddit account, and a Chinese-language 4 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) |Source|Handles| |---|---| |XSS|freeide, “DaF0x”, “Free IDE”| |Exploit|kingcrete2022| |Best Dark|kingcrete| |Opencard|kingcrete| |SkyNetZone|kingcretekingcrete| |Center-club|rhadamanthys| |Best Hack|Rhadamanthys| |Telegram|“dailyfreshlogs”, “freshtrafficandlogs”, “TrafficLogsMalwaresinfo”| ----- forum, right.com[.]cn [(Intelligence Card). The GitHub account under “superman8848” also commented](https://app.recordedfuture.com/portal/intelligence-card/idn%3Aright.com.cn/overview) on a Chinese-language post, pointing to the possibility that the threat actor behind the handle might be a Chinese speaker. [kingcrete2022 uses the blog service telegra[.]ph (Intelligence Card) to document Rhadamanthys stealer](https://app.recordedfuture.com/portal/intelligence-card/idn%3Atelegr.ph/overview) updates. **_Figure 2: Example Rhadamanthys blog post from telegra[.]ph (Source: Recorded Future)_** [The threat actor has also posted](https://vimeo.com/user185512701) two instructional videos on Vimeo. One video was an overview of the “v0.3.2 updates”. The second video was named “Wallter crack & Customized dictionaries”, which showed how the infostealer targets cryptocurrency wallets. 5 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- Version 0.7.0 is the most recent version of the Rhadamanthys stealer, released in late June 2024. According to the banner message on TOX, the threat actor is working on Version 0.8. #### Malware Capabilities and Versions [Rhadamanthys targets Windows operating systems and is designed to collect system information,](https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/) credentials, cryptocurrency wallets, browser passwords, and cookies, among others. The stealers’ collection targets are comprehensive, covering many targets, from major web browsers like Google [Chrome to less common software such as the Pale Moon browser and Auvitas Wallet. The stealer not](https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/) only exfiltrates data automatically upon infection but also allows operators the flexibility to deploy extensions and execute additional commands on compromised machines. The extensibility, constant updates, and feature expansions make Rhadamanthys a formidable tool for cybercriminals​. **Anti-Behavioral Analysis: Rhadamanthys employs techniques to avoid behavioral** analysis by analysis tools. These methods include timing and delay checks and monitoring for memory-write actions, making it harder for security researchers to trace its actions. **Anti-static Analysis: Rhadamanthys uses static analysis evasion techniques, including** obfuscating its executable code, which makes it challenging for analysts to dissect and comprehend the malware’s underlying structure. **Defense Evasion: Rhadamanthys uses sophisticated evasion tactics to bypass detection,** including encrypting and encoding its files to obscure its contents, hijacking execution flow by exploiting legitimate Windows function calls, and altering file and directory permissions to avoid being flagged by security tools. **Execution: Rhadamanthys can leverage shared modules and command or scripting** interpreters, such as PowerShell, to execute malicious payloads, enhancing its versatility in different environments. **Collection: Rhadamanthys collects data from infected systems, including credentials,** browser data, system information, and cryptocurrency wallets. **Command-and-Control: Rhadamanthys communicates with a command-and-control** server to receive instructions and exfiltrate stolen data. It typically uses HTTP/HTTPS protocols. #### Malware Versions Multiple versions of Rhadamanthys have been developed, with each iteration adding more features and refining existing ones. The malware’s core capabilities have remained unchanged, focusing on 6 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- information stealing, but its deployment and execution have evolved. Reviewing the change logs on the developer's Telegram account, we identified the versions below and summarized their change logs. The change logs can be found in Appendix B. **_Figure 3: Rhadamanthys version timeline (Source: Recorded Future)_** - **Version 0.4.0 provided major changes that were incompatible with prior versions. This version** also required users to back up their configurations before updating and included new installation instructions and server panel access details. - **Version 0.4.1 implemented critical fixes, such as preventing global download tasks from** triggering when certain records were empty and addressing a significant security vulnerability related to panel session management. New features like customizable Telegram notification templates and enhanced support for third-party encryption services were also introduced. - **Version 0.4.5 improved the client and panel by including a dedicated shim server and full** transport layer security (TLS) support. It also added the capability to perform terminal operations directly from the panel. This update also focused on enhancing log export capabilities and implementing a download loader task system. - With version 0.4.8, the client was completely rewritten to include independent encryption keys for each build, with extensive testing across various Windows versions. Server-side enhancements included password cracking algorithms, URL validity detection, and the ability to handle multiple crypt services. - **Version 0.4.9 focused on refining existing features, such as resolving issues with log export** records and enhancing panel search functionality. Improvements were also made to the Telegram notification system and stub cleanup processes. - **Version 0.5.0 introduced observer mode and stub construction options and significantly** improved the client execution process. It also expanded wallet cracking capabilities, improved Discord token acquisition, and upgraded panel search settings. This version added a plug-in module for task execution and introduced keylogger and data spy plug-ins, supporting secondary development. 7 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - **Version 0.5.1 included a new Clippers plug-in, enhanced Telegram notification options, Google** Account Cookie Recovery, and default build stub cleaning to bypass Windows Defender. - **Version 0.5.2 enhanced the Shim Server disconnection detection with backend servers to better** identify and repair connection issues. Clippers plug-in version 0.2 fixed bugs related to repeated uploads and log paging, introduced a full-text replacement feature for various copy operations and added a switch to ensure addresses were replaced only once. The reverse proxy plug-in now requires a separate virtual private server (VPS) for installation, with updates affecting only server-side files, ensuring no disruption to the running client system. - **Version 0.6.0 enhanced server and panel functionalities, including geo- and IP- blocking,** optimized log writing processes, and added support for new extended wallets. This version also improved the protection of the index database, simplified directory compositions for better compatibility with automatic processing tools, and enhanced stub cleaning and Windows Defender bypass features. - **Version 0.7.0, the most recent version, includes a complete rewrite of both client-side and** server-side frameworks, improving the program's execution stability. Additionally, 30 wallet-cracking algorithms, AI-powered graphics, and PDF recognition for phrase extraction were added. The text extraction capability was enhanced to identify multiple saved phrases. Bugs and issues from the previous version were resolved. The Telegram module was rewritten to support HTML formatting and multi-token polling, while the synchronization module now includes file transfer protocol (FTP) support for remote log transfers. The search filter module has been rewritten, and an application programming interface (API) interface with an open platform has been introduced. #### Rhadamanthys Identity Intelligence and Incidents Recorded Future collects and analyzes [malware log files](https://go.recordedfuture.com/hubfs/data-sheets/malware-logs.pdf) from various information stealers advertised on underground markets. This data provides unique insight into information stealers' victimology and the markets in which they are advertised. The data [analyzed](https://go.recordedfuture.com/hubfs/data-sheets/identity-intelligence-module.pdf) from Rhadamanthys malware logs, as per Recorded Future Identity Intelligence, shows that Rhadamanthys is used globally, with most targets in North America and Brazil (see Figure 4). 8 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- **_Figure 4: Rhadamanthys victimology geographic locations (Source: Recorded Future)_** Although only a few uses of Rhadamanthys have been reported publicly, several notable events from the last twelve months are listed below. - In October 2023, Rhadamanthys [was dropped](https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks) in an attack using the GHOSTPULSE loader. Rhadamanthys is delivered via [MSIX installers masquerading as legitimate software like Google](https://learn.microsoft.com/en-us/windows/msix/overview) Chrome or Webex. GHOSTPULSE uses advanced techniques, including side-loading malicious dynamic-link libraries (DLLs) and encrypting payloads, to evade detection by security tools​. - [In February 2024, Rhadamanthys was distributed](https://cofense.com/blog/recently-updated-rhadamanthys-stealer-delivered-in-federal-bureau-of-transportation-campaign/) through a phishing campaign targeting the oil and gas sector. The emails spoofed the Federal Bureau of Transportation and referenced a vehicle incident urging the recipient to download a malicious ZIP file containing an executable. - [In March 2024, TA547 targeted](https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer) German organizations with a phishing campaign impersonating the German retail company Metro. The emails contained password-protected ZIP files containing malicious LNK files. Executing the LNK files runs a PowerShell script that decodes and executes Rhadamanthys in memory without writing it to disk. This attack chain likely uses a large language model (LLM)-generated PowerShell script that introduces a novel tactic that leverages machine-generated code for delivery while the payload remains the same​. 9 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - In August 2024, Rhadamanthys was [delivered via phishing emails targeting Israeli users. The](https://cybersecuritynews.com/rhadamanthys-stealer-rar-credentials/) emails contained a password-protected RAR archive that, once extracted, revealed an exe, dll, and image file. When executed, Rhadamanthys was dropped and run. ## Threat/Technical Analysis Insikt Group analyzed a sample of Rhadamanthys v0.7.0 and found that its core functionalities have not [changed significantly from v0.5.0. The Rhadamanthys modules](https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/) [and XS](https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/) custom binary format remain the same, as does its overall infection chain, which relies on the below three stages and multiple modules loaded at runtime (Figure 5). - **Stage 1 (Unpacking and Loading of Stage 2): Stage 2 shellcode is copied to the '.textbss'** section of the portable executable (PE) file, which is then executed. This marks the beginning of the unpacking and loading process for Stage 2. - **Stage 2 (Prepare System and Download Stealers from C2): The system is prepared for further** exploitation by performing process injection, unhooking, and various process and evasion checks. It then loads the proto.x86 and netclient.x86 modules to communicate with the C2 server and subsequently loads the CoreDLL (Stage 3). - **Stage 3 (Run Stealers): Various modules are loaded, and default stealers are executed.** Image/OCR processing and additional extensions are also run. The system then reports the collected data back to the C2 server. 10 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 11 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 12 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 13 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- Nine mutexes are opened by Rhadamanthys using the Windows API function `OpenMutexW(). If any of` the mutexes listed below are found, Rhadamanthys will terminate. ``` Global\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} Session\1\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} Session\2\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} Session\3\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} Session\4\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} Session\5\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} Session\6\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} Session\7\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} Session\8\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} ``` **_Table 3: Rhadamanthys mutexes (Source: Recorded Future)_** Finally, Rhadamanthys uses the Windows API function [CreateMutexW to create a slightly different value](https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexw) than the previous nine mutexes. The integer for the first format string parameter, %08lx, is the value of the variable used to count the mutex session count, which equals nine at this stage of execution to create the following mutex: ``` MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6} ``` 14 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- Note that the Microsoft DLL msctf.dll has been [observed](https://www.hexacorn.com/blog/2018/12/25/enter-sandbox-part-22-ctf-capturing-the-false-positive-artifacts/) to create mutexes with a similar beginning string. However, the globally unique identifier (GUID) format in Rhadmanthys's mutex does not resemble 15 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- that. In terms of false positives, even if the formats matched precisely, the odds of using the same bytes as Rhadamanthys would make the occurrence of a false positive highly unlikely. #### Re-Execution Delay Feature Rhadamanthys contains a feature to prevent re-execution within a configurable time frame. The unique registry values used by this feature can be used to detect live and historical Rhadamanthys infections. The configurable time frame for the re-execution delay is specified in minutes. It is contained in offsets five and six in the Rhadamanthys configuration (see Figure 10) and is calculated by taking the integer value of the two bytes. For Rhadamanthys v0.7.0, the twelve bytes in the configuration at offset 12 ``` (hex 0x0c) are used as a nonce during ChaCha20 encryption of the timestamp information. ``` **_Figure 10: Rhadamanthys’s configuration and re-execution value (Source: Recorded Future)_** At startup, Rhadamanthys retrieves the number of seconds elapsed since midnight on January 1, 1970, via the time() function. The re-execution delay feature implementation steps are: 1. SHA1 of the timestamp obtained at startup is calculated. 2. SHA1 of the timestamp is added to the front of a 128-byte buffer. 3. A null byte and then the timestamp itself is added to the above 128-byte buffer. 4. The above 128-byte buffer is encrypted using ChaCha20 with the following crypto parameters: - 64-byte key: SHA256 hash of the C2 URL against a zero-filled 128-byte buffer - 12-byte nonce: Taken from the configuration at offset 12 (hex 0x0c) - Counter: 64 5. Encrypted result of 64 bytes written to registry value HKCU\SOFTWARE\SibCode\sn2. 16 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 17 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- **Figure 13 provides an overview of how the seed phrase image detection works. The imgdt.bin XS2** module and a bip39.txt file are saved as resources within Rhadamanthys’s CoreDLL payload. When the imgdt.bin module is loaded, the bip39.txt file initializes OCR data for detection. **_Figure 13: Seed Phrase Image Detection workflow (Source: Recorded Future)_** Next, the base path for the seed phrase image detection configuration is inspected. If environment variables are present, they are expanded, and then the files and directories in the base path are enumerated. Each path is checked to see if it is a directory or a file. If it is a directory (and not a symlink), it will recursively search the directory depending on the seed phrase image detection configuration. If the path is a file, a check is done to ensure the file’s size is within the bounds specified in the seed phrase image detection configuration before processing the file further. Next, the provided file path is checked to see if it contains a valid extension (*.bmp, *.tiff, *.png, *.jpeg, *.jpg, or *.bmp). If so, the file is read into a buffer, and the minimum and maximum image 18 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 19 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 20 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - Keylogger - Data Spyer - Clipper - Reversed Proxy In version 0.5.0, these plug-ins were implemented as .NET assemblies and loaded via the loader.dll file, which is responsible for loading .NET assemblies. However, in v0.7.0, the plug-in system was updated. The plug-ins are now packaged as ZIP files containing two components, classes.dex and ``` manifest.json, resembling an Android Package Kit (APK) file structure, though they are not actual ``` APKs. The classes.dex file serves as the extension and contains several key elements: - License check - Loader code 21 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - LZMA-compressed extension in XS2 format This new structure allows Rhadamanthys to enhance its functionality further and maintain its adaptability in malware operations. Extensions in Rhadamanthys are loaded and executed in a six-step process involving the CoreDLL and TaskCore modules: 1. TaskCore is injected into a process on the injected host. 2. CoreDLL sends the extension to TaskCore via a Named Pipe. 3. TaskCore verifies the extension's license to ensure it is valid for execution. 4. The extension is decompressed. 5. TaskCore executes the decompressed extension. 6. The compressed extension package is sent to TaskCore for further operations. This process ensures that only licensed extensions are run and allows for efficient transmission and execution of malicious components. **_Figure 18: Rhadamanthys extension loading (Source: Recorded Future)_** 22 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ##### Keylogger The keylogger extension provides standard keylogging functionality. The core functionality revolves around hooking keystrokes, recording key presses and releases, and logging active window details to contextualize the stolen data. It achieves this by leveraging the GetKeyboardLayout API to understand keyboard layouts and correctly interpret keystrokes, regardless of language settings. The ``` GetKeyState API helps track the state of special keys like Shift, Ctrl, and Alt, ensuring the ``` accurate capture of uppercase characters and key combinations. The malware monitors active windows by polling the GetForegroundWindow API and recording titles and process IDs through ``` GetWindowTextW and GetWindowThreadProcessId. ``` The keylogger also monitors the clipboard, exhibiting an intent to capture sensitive data often copied by users. The code explicitly uses a combination of `IsClipboardFormatAvailable`, `OpenClipboard`, `GetClipboardData`, and `GlobalLock` to detect when text content is copied, access the clipboard data, and read it. The keylogger parses the config.dat, which is loaded in memory and passed from the CoreDLL,for the configuration items in Table 4: |Configuration Item|Description| |---|---| |bufsize|Record keyboard content buffer size.| |interval|The maximum interval time to wait for sending. If the interval exceeds the last sending time and the keyboard buffer is not full, the data must be sent to the server.| |max clip|Records the maximum number of bytes copied to the clipboard simultaneously. If the text data in the clipboard exceeds this setting, it will be discarded.| |filters|A base64 string, which only performs keylogging of the process name set in the filter. The process names are not case-sensitive and are separated by a comma.| **_Table 4: Keylogger configuration items (Source: Recorded Future)_** ##### Data Spy [The purpose of the data spy plug-in is to steal login information. As of now, it targets remote desktop](https://www.bleepingcomputer.com/news/security/rhadamanthys-stealer-malware-evolves-with-more-powerful-features/) protocol (RDP) credentials. Given the focus on remote access tools, future extension developments would likely include stealing credentials for Citrix Virtual Apps and Desktops or virtual private network (VPN) solutions. 23 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ##### Clipper Clipper is a cryptocurrency clipper malware designed to hijack clipboard operations and steal funds by replacing copied wallet addresses with those controlled by the attacker. The clipper demonstrates capabilities in identifying cryptocurrency addresses using a multi-faceted approach. - First, the clipper uses pattern-matching techniques, using the built-in list of wallets and the replacement values found in the —wallet-dict= parameter passed in the configuration file ``` config.dat, which is in memory. ``` - The clipper then implements checksum algorithms for each recognized cryptocurrency, ensuring only valid target addresses and maintaining high accuracy in targeting a wide range of cryptocurrencies. Apart from the dictionary mentioned above parameter, the configuration also contains the keys in the table below. |Configuration Item|Description| |---|---| |fulltext|Enables address replacement over a full-text search and replace| |once|Restricts replacing the same address to only one time| |wallet-dict|Contains the list of target addresses to replace| **_Table 5: Clipper configuration items (Source: Recorded Future)_** ##### Reverse Proxy The reverse proxy looks for the –server value in the config.dat containing the reverse proxy server to connect to and routes traffic to that address. |Configuration Item|Description| |---|---| |server|Provides the reverse proxy connection details| **_Table 6: Reverse proxy configuration items (Source: Recorded Future)_** ## Mitigations #### Mutex Kill Switch By setting the known Rhadamanthys mutexes in the table below on a non-infected machine, a killswitch/vaccine to prevent Rhadamanthys from running its stealers and extensions can be created. 24 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- Additionally, general hardening and logging techniques should be implemented to detect and mitigate attack methods commonly associated with stealer activity. Examples of these mitigations are listed below: - **User Training: Train employees on how to spot phishing emails and other common initial access** methods used by threat actors to deliver stealer malware. - **Multi-Factor Authentication (MFA): Use MFA for credentials to make using them more difficult** for threat actors. However, please note that MFA can still be bypassed with session cookies. - **Least Privilege Access: Follow the principle of least privilege by granting users and devices only** the minimum level of access needed for their job functions. If remote access solutions are crucial to daily operations, all remote access services and protocols (for example, Citrix and RDP) should be implemented with multi-factor authentication (MFA). - **Security Information and Event Management (SIEM): Implement SIEM solutions to centralized** log security incidents across the network. - **Endpoint Detection and Response (EDR): Deploy EDR solutions on endpoints to monitor** suspicious behavior commonly associated with stealer malware. - **Recorded Future Hunting Packages: Implement YARA, Sigma, and SNORT rules like the ones in** Recorded Future Hunting Packages. - **Credential Leaks: Look for or create Recorded Future alerts for your credentials in dumps and** criminal sale sources. A reset is recommended for every access method to any discovered credentials (cookies, sessions, passwords, and so on). ## Outlook Rhadamanthys has a rapid development cycle and is consistently evolving, with new versions being worked on even as the previous ones are released. This dynamic nature is evident when work on version 0.8.0 began after version 0.7.0 was released. Each version introduces significant enhancements in functionality, security, and evasion techniques. With the addition of AI features in 0.7.0 enhancing image detection capabilities, more advanced AI functionalities will probably be present in future 25 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- releases. While the detections and kill switch discussed in this report will prove valuable overall, the malware's consistent introduction of new features and evasion techniques will soon render the detections useless, continuing the difficult nature of detection engineering. Rhadamanthys’s global reach includes multiple campaigns targeting regions from North America to Europe and beyond. It is a popular tool in cybercriminal circles, supported by its versatile attack vectors and flexible plug-in system, making it a significant player in the underground malware market. Given this widespread adoption and continuous development, its influence will likely persist globally​. 26 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix A: Tactics, Techniques, and Procedures (TTPs) **Tactic: Technique** **Description** **ATT&CK** **Code** **Initial Access: Phishing** Rhadamanthys is distributed via phishing campaigns, often T1566 using email attachments like LNK files to deliver the malware. **Execution: Command** Rhadamanthys uses PowerShell scripts as part of its T1059 and Scripting Interpreter infection process, leveraging encoded commands to execute its payload. **Execution: User** The infection often starts with user interaction, such as T1204 Execution executing an LNK file from a phishing email. **Defense Evasion:** Rhadamanthys uses multiple stages of obfuscation, including T1027 Obfuscated Files or PowerShell scripts and encoded payloads, to evade Information detection. **Defense Evasion:** The malware uses signed binaries, such as AppLaunch.exe, T1218 Signed Binary Proxy to execute its code and evade detection. Execution **Defense Evasion:** Rhadamanthys injects code into legitimate processes to T1055 Process Injection avoid detection and ensure its malicious payload runs under the radar. **Defense Evasion:** Rhadamanthys includes anti-virtual machine. T1497 Virtualization/Sandbox Evasion **Credential Access:** Rhadamanthys can steal credentials stored in FTP clients, T1552 Unsecured Credentials email clients, and two-factor authentication. **Credential Access:** The malware targets files containing saved credentials, such T1552.002 Credentials in Files as browser password stores. **Discovery: System** Rhadamanthys gathers system information such as computer T1082 Information Discovery name, username, RAM capacity, and CPU cores. **Discovery: File and** Rhadamanthys steals sensitive information by searching for T1083 Directory Discovery specific files and directories on the system, such as Chrome user data. **Collection: Data from** Rhadamanthys collects a wide range of data from the T1005 Local System infected system, including system information, credentials, and cryptocurrency wallets. **Collection: Email** Rhadamanthys can collect credentials from email clients T1114 Collection using Outlook and Thunderbird. **Collection: Credential** Rhadamanthys can dump credentials from various sources T1003 Dumping on the infected system. 27 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) |Tactic: Technique|Description|ATT&CK Code| |---|---|---| |Initial Access: Phishing|Rhadamanthys is distributed via phishing campaigns, often using email attachments like LNK files to deliver the malware.|T1566| |Execution: Command and Scripting Interpreter|Rhadamanthys uses PowerShell scripts as part of its infection process, leveraging encoded commands to execute its payload.|T1059| |Execution: User Execution|The infection often starts with user interaction, such as executing an LNK file from a phishing email.|T1204| |Defense Evasion: Obfuscated Files or Information|Rhadamanthys uses multiple stages of obfuscation, including PowerShell scripts and encoded payloads, to evade detection.|T1027| |Defense Evasion: Signed Binary Proxy Execution|The malware uses signed binaries, such as AppLaunch.exe, to execute its code and evade detection.|T1218| |Defense Evasion: Process Injection|Rhadamanthys injects code into legitimate processes to avoid detection and ensure its malicious payload runs under the radar.|T1055| |Defense Evasion: Virtualization/Sandbox Evasion|Rhadamanthys includes anti-virtual machine.|T1497| |Credential Access: Unsecured Credentials|Rhadamanthys can steal credentials stored in FTP clients, email clients, and two-factor authentication.|T1552| |Credential Access: Credentials in Files|The malware targets files containing saved credentials, such as browser password stores.|T1552.002| |Discovery: System Information Discovery|Rhadamanthys gathers system information such as computer name, username, RAM capacity, and CPU cores.|T1082| |Discovery: File and Directory Discovery|Rhadamanthys steals sensitive information by searching for specific files and directories on the system, such as Chrome user data.|T1083| |Collection: Data from Local System|Rhadamanthys collects a wide range of data from the infected system, including system information, credentials, and cryptocurrency wallets.|T1005| |Collection: Email Collection|Rhadamanthys can collect credentials from email clients using Outlook and Thunderbird.|T1114| |Collection: Credential Dumping|Rhadamanthys can dump credentials from various sources on the infected system.|T1003| ----- |Command and Control: Application Layer Protocol|Rhadamanthys communicates with its C2 servers using HTTP and HTTPS, which allows it to blend in with normal network traffic.|T1071| |---|---|---| **_Table 8: Rhadamanthys TTPs (Source: Recorded Future)_** 28 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix B: Rhadamanthys Change Logs ``` V0.4.0 v0.4.0 update completed! Big update, server side and build and prior versions are not compatible, if you need to update, please export the configuration backup on the old version first, and download the log data back to avoid unnecessary losses. 1.rpm -e rhadamanthys 2.rpm -ivh rhadamanthys-0.4.0-1.el8.x86_64.rpm 3.License renewal 4.systemctl restart rhadamanthys Server panel http://ip:443/admin/console/index.html pass: 12345 V0.4.1 V0.4.1 update content 1. When the ALL TAG record is empty, the global download task push is not triggered 2. Repair the major security vulnerability that the panel session is not affected by password modification 3. Add telegram notification message template customization 4. Re-modify the client's construction form to fully support third-party encryption services. It has been verified that all services available on the market have been tested. You are also welcome to tell me about service providers that I don't know yet. 5. Increase the one-click summary export of CC ftp phrase mnemonic words 6. Enhance the anti-ETW function of the client V0.4.5 V0.4.5 update record 1. Add a dedicated shim server, the main server actively establishes the connection, which can be switched on and off at any time. There is no configuration reservation of the backend server IP on the shim server 2. The client and panel fully support ssl, support the use of self-signed certificates, and enhance network breakthrough capabilities 3. The client is rebuilt, and all syscalls are implemented 4. The telegram module robot adds sending screenshots id: <%id%> tags: <%tags%> ``` 29 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 30 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 31 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 32 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 33 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 34 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- **_Table 9: Rhadamanthys Change Logs (Source: Recorded Future)_** 35 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix C: Sigma Rule — Setting Registry Value sn ``` title: Rhadamanthys Stealer Malware Setting Registry Value sn id: 3c7b2689-89d2-490f-a48e-c8579134c865 description: Detects the Rhadamanthys stealer malware setting HKCU\Software\SibCode\sn with the current timestamp for the re-execution delay feature. references: - ARMOR Internal Research status: stable Author: Insikt Group, Recorded Future date: 2024/08/08 level: high tags: - attack.t1112 # Modify Registry logsource: category: registry_set product: windows detection: target: TargetObject|endswith: '\Software\SibCode\sn' details: Details|startswith: 'DWORD' condition: target and details falsepositives: - unlikely ``` 36 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix D: Sigma Rule — Setting Registry Value sn2 ``` title: Rhadamanthys Stealer Malware Setting Registry Value sn2 id: f3c78795-ad90-42e1-9dca-d84066bf35a4 description: Detects the Rhadamanthys stealer malware setting HKCU\Software\SibCode\sn2 with an encrypted timestamp and checksum for the re-execution delay feature. references: - ARMOR Internal Research status: stable Author: Insikt Group, Recorded Future date: 2024/08/08 level: high tags: - attack.t1112 # Modify Registry logsource: category: registry_set product: windows detection: target: TargetObject|endswith: '\Software\SibCode\sn2' details: Details|startswith: 'Binary Data' condition: target and details falsepositives: - unlikely ``` 37 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix E: YARA Rule — Rhadamanthys Initial Stage ``` rule Rhadamanthys { meta: author = "Insikt Group, Recorded Future" date = "2024-08-07" description = "Detects the 1st stage of the Rhadamanthys Stealer Malware" version = "1.0" hash = "643d2764447b953c2203f53263ea1d66a361ceda7b72c3cdac7d633413596647" hash = "1b0215062992174a807e9203688e5727a27c8aaf8a1b5dbdcd10d0d0ea89f7aa" strings: $textbss = { 2E 74 65 78 74 62 73 73 [8] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 E0 } $masq = "Roland GS Sound" $xor1 = { F6 35 8D FA 4F A7 98 E6 } $xor2 = "xxxxxxxxxxxxxxxx" condition: uint16be(0) == 0x4d5a and filesize < 600KB and filesize > 350KB and $textbss and (($xor1 or $xor2) or $masq) } ``` 38 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix F: Indicators of Compromise (IoCs) ``` IP Addresses: 5.230.67.168:5140 38.180.100.139:443 38.180.188.69:443 45.61.166.131:443 45.152.84.68:443 45.159.188.37:443 45.202.35.41:2085 57.128.169.122:443 74.81.56.118:8039 77.91.78.112:443 77.221.148.235:443 77.238.245.97:2017 77.238.248.142:443 80.66.75.110:9176 80.66.79.88:7691 81.19.131.103:2013 83.217.209.45:5902 83.217.209.52:443 85.209.90.135:443 88.99.62.143:3674 89.23.103.235:443 89.117.152.61:443 89.117.152.231:443 89.208.103.86:8537 92.246.139.134:443 94.232.249.76:443 94.232.249.92:443 95.216.91.91:1614 95.217.44.124:7584 103.148.58.146:5199 103.148.58.151:5199 103.148.58.152:5199 103.173.179.189:443 104.234.167.212:443 107.189.28.160:7705 135.181.4.162:2423 139.99.17.158:443 142.132.161.168:443 144.76.133.166:8034 147.45.44.107:443 147.45.44.126:443 147.45.44.143:443 147.45.44.187:443 147.45.44.195:443 147.45.70.184:1525 147.124.220.233:7843 149.102.143.198:9586 154.216.17.85:443 ``` 39 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 40 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 41 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- **_Table 10: Rhadamanthys IoCs (Source: Recorded Future)_** 42 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- _Recorded Future reporting contains expressions of likelihood or probability consistent_ _[with US Intelligence Community Directive (ICD) 203: Analytic Standards (published](https://irp.fas.org/dni/icd/icd-203.pdf)_ _January 2, 2015). Recorded Future reporting also uses confidence level standards_ _[employed by the US Intelligence Community to assess the quality and quantity of the](https://www.dni.gov/files/ODNI/documents/assessments/ICA-declass-16MAR21.pdf)_ _source information supporting our analytic judgments._ _About Insikt Group[®]_ _Recorded Future’s Insikt Group, the company’s threat research division, comprises_ _analysts and security researchers with deep government, law enforcement, military, and_ _intelligence agency experience. Their mission is to produce intelligence that reduces risk_ _for clients, enables tangible outcomes, and prevents business disruption._ _About Recorded Future[®]_ _Recorded Future is the world’s largest threat intelligence company. Recorded Future’s_ _Intelligence Cloud provides end-to-end intelligence across adversaries, infrastructure,_ _and targets. Indexing the internet across the open web, dark web, and technical_ _sources, Recorded Future provides real-time visibility into an expanding attack surface_ _and threat landscape, empowering clients to act with speed and confidence to reduce_ _risk and securely drive business forward. Headquartered in Boston with offices and_ _employees around the world, Recorded Future works with over 1,800 businesses and_ _government organizations across more than 75 countries to provide real-time, unbiased,_ _and actionable intelligence._ _Learn more at recordedfuture.com_ 43 MTP-2024-0926 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) -----