An up to date model of an information-stealing malware known as Rhadamanthys is being utilized in phishing campaigns concentrating on the oil and fuel sector.
“The phishing emails use a unique vehicle incident lure and, in later stages of the infection chain, spoof the Federal Bureau of Transportation in a PDF that mentions a significant fine for the incident,” Cofense researcher Dylan Duncan mentioned.
The e-mail message comes with a malicious hyperlink that leverages an open redirect flaw to take the recipients to a hyperlink internet hosting a supposed PDF doc, however, in actuality, is a picture that, upon clicking, downloads a ZIP archive with the stealer payload.
Written in C++, Rhadamanthys is designed to determine connections with a command-and-control (C2) server with a view to harvest delicate information from the compromised hosts.
“This campaign appeared within days of the law enforcement takedown of the LockBit ransomware group,” Duncan mentioned. “Whereas this might be a coincidence, Development Micro revealed in August 2023 a Rhadamanthys variant that got here bundled with a leaked LockBit payload, alongside a clipper malware and cryptocurrency miner.
“The threat actors added a combination of an information stealer and a LockBit ransomware variant in a single Rhadamanthys bundle, possibly indicating the continued evolution of the malware,” the corporate famous.
The event comes amid a gradual stream of recent stealer malware households like Sync-Scheduler and Mighty Stealer, whilst present strains like StrelaStealer are evolving with improved obfuscation and anti-analysis strategies.
It additionally follows the emergence of a malspam marketing campaign concentrating on Indonesia that employs banking-related lures to propagate the Agent Tesla malware to plunder delicate data resembling login credentials, monetary information, and private paperwork.
Agent Tesla phishing campaigns noticed in November 2023 have additionally set their sights on Australia and the U.S., in keeping with Test Level, which attributed the operations to 2 African-origin menace actors tracked as Bignosa (aka Nosakhare Godson and Andrei Ivan) and Gods (aka GODINHO or Kmarshal or Kingsley Fredrick), the latter of whom works as an online designer.
“The main actor [Bignosa] appears to be a part of a group operating malware and phishing campaigns, targeting organizations, which is testified by the US and Australian email business databases, as well as individuals,” the Israeli cybersecurity firm mentioned.
The Agent Tesla malware distributed by way of these assault chains have been discovered to be secured by the Cassandra Protector, which helps shield software program applications towards reverse-engineering or modification efforts. The messages are despatched by way of an open-source webmail instrument known as RoundCube.
“As seen from the description of these threat actors’ actions, no rocket science degree is required to conduct the cyber crime operations behind one of the most prevalent malware families in the last several years,” Test Level mentioned.
“It’s an unfortunate course of events caused by the low-entry level threshold so that anyone willing to provoke victims to launch the malware via spam campaigns can do so.”
