RHADAMANTHYS: THE “EVERYTHING BAGEL” INFOSTEALER.

  • By Checkpoint, view the original blog here:

https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer

Key Takeaways

  • Rhadamanthys is an advanced infostealer which debuted on the dark web in September of last year to a warm critical reception by cybercriminals.
  • A maximalist approach to features: functionality is added for its own sake, never mind the effort required or expected payoff.
  • Campaigns by default target countries indiscriminately, excluding the commonwealth of independent states. This is typical of this kind of malware.
  • Multiple-stage loader/shellcode execution has been researched in prior publications and has made it difficult to reach a proper interactive disassembly workflow with the actual information-stealing logic.
  • We provide highlights of the Dark Web ‘buzz’ surrounding this malware.
  • We share telemetry insights which confirm that by the nature of how the malware is used, large orgs are also being subjected to incidental drive-by attacks that have a theoretical potential to escalate.
  • We present a method of forensically resolving API calls of homebrew function tables in “orphaned” memory dumps from concluded sandbox runs, using the in-memory addresses alone.
  • We use this method to convert a memory dump of Rhadamanthys information stealing code into a workable interactive disassembly database with resolved API calls, and showcase the newly available level of analysis by presenting a step-by-step disassembly breakdown of how the malware compiles its own database of stolen Google Chrome information in order to send back to the C2 server.

Background

What causes a man to wake up one day and say, “I’m going to build my own malware and go sell it to cybercriminals on the dark web”? After all, the market is saturated with competitors, and the product is judged on the one sole metric of how many victims it has successfully parted with their funds and personal data. Statistically, during the past 5 years, someone must have created what would have been the great malware strain to stun the entire industry, but the first two criminals to actually try out the thing had a weak spam game, got weak results, and that was that.

Read More

Don’t Stop Here

More To Explore

contact us

Stay in Touch

Stay informed with the latest insights in our Infostealers weekly report. Explore key findings, trends and data on info-stealing activities.

Pages

Topics

Articles

Reports

Techniques

Copyright 2024 © All rights Reserved. infostealers.com

Logos provided by Clearbit

Are You Compromised?
infostealers-logo
favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

Powered by Hudson Rock

No Spam, We Promise

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

Powered by Hudson Rock

No Spam, We Promise