- Rhadamanthys is an advanced infostealer which debuted on the dark web in September of last year to a warm critical reception by cybercriminals.
- A maximalist approach to features: functionality is added for its own sake, never mind the effort required or expected payoff.
- Campaigns by default target countries indiscriminately, excluding the commonwealth of independent states. This is typical of this kind of malware.
- Multiple-stage loader/shellcode execution has been researched in prior publications and has made it difficult to reach a proper interactive disassembly workflow with the actual information-stealing logic.
- We provide highlights of the Dark Web ‘buzz’ surrounding this malware.
- We share telemetry insights which confirm that by the nature of how the malware is used, large orgs are also being subjected to incidental drive-by attacks that have a theoretical potential to escalate.
- We present a method of forensically resolving API calls of homebrew function tables in “orphaned” memory dumps from concluded sandbox runs, using the in-memory addresses alone.
- We use this method to convert a memory dump of Rhadamanthys information stealing code into a workable interactive disassembly database with resolved API calls, and showcase the newly available level of analysis by presenting a step-by-step disassembly breakdown of how the malware compiles its own database of stolen Google Chrome information in order to send back to the C2 server.
What causes a man to wake up one day and say, “I’m going to build my own malware and go sell it to cybercriminals on the dark web”? After all, the market is saturated with competitors, and the product is judged on the one sole metric of how many victims it has successfully parted with their funds and personal data. Statistically, during the past 5 years, someone must have created what would have been the great malware strain to stun the entire industry, but the first two criminals to actually try out the thing had a weak spam game, got weak results, and that was that.