Malvertising Is Trendy Again; Meet the Rhadamanthys Stealer

Jan 26, 2023 | Industry News

Cybercriminals’ Latest Illusion

There’s a relatively new cyberattack technique that you should be cognizant of. “Malvertising” (malicious advertising) injects malicious code into digital ads. The most disturbing aspect of malvertising is that, in some cases, you may not even need to click on an ad in order for the malware to execute. Just the ad loading and appearing on your page can be enough (“drive-by downloads”). Spooky, huh? 👻

Scams perpetuated through email or the web are nothing new but exploited digital ads are something most people wouldn’t even consider. The tactic is no doubt a clever one; opportune for cybercriminals, concerning for the rest of us. Malvertising is apparently not all that new (and originally dates back to 2007) but it’s trendy again. Today we’ll be looking at the Rhadamanthys Stealer malware campaign. While it doesn’t involve drive-by downloads, it’s spread through digital ads, something that will still be considered news to most people.

The Rhadamanthys Stealer Campaign

On January 12, 2023, cybersecurity researchers at Cyble published a report describing a current malvertising scam being carried out via a Google Ads campaign. In this case, Google Ads were/are spreading the Rhadamanthys Stealer, a new malware that’s only been around since September 2022. Rhadamanthys Stealer is known as an Infostealer (information stealer) and has been marketed on the dark web under the MaaS (Malware as a Service) model.

“Rhadamanthys Stealer spreads by using Google Ads that redirect the user to phishing websites that mimic popular software such as Zoom, AnyDesk, Notepad++, Bluestacks, etc. It can also spread via spam email containing an attachment for delivering the malicious payload.” (Cyble)

These spam phishing emails will include a PDF attachment titled, “Statement.pdf” to lure in users but when clicked, will appear to be an “Adobe Acrobat DC Updater” file (aka an Adobe Acrobat update). In this fake Adobe Acrobat update prompt, there will be a “Download Update” link and if clicked, it’ll download a malware executable file from a URL. This is how the Rhadamanthys makes its way into your computer.

The file is then used to steal confidential information that is stored on the device, including browsing history, bookmarks, cookies, stored login information, cryptocurrency data, and other system information. 

Rhadamanthys Stealer Phishing Sites to Avoid Like the Plague

As part of their research, Cyble has identified several phishing domains that have been used to spread this new malware. These are just some of the websites that were linked to Google Ads. These have been specifically formatted with [.]com to avoid emails or websites turning these into hyperlinks. ⚠ Be warned, if you go to any of these websites, you will be inviting the Rhadamanthys Stealer malware into your computer.

  • bluestacks-install[.]com
  • zoomus-install[.]com
  • install-zoom[.]com
  • install-anydesk[.]com
  • install-anydeslk[.]com
  • zoom-meetings-install[.]com
  • zoom-meetings-download[.]com
  • anydleslk-download[.]com
  • zoomvideo-install[.]com
  • zoom-video-install[.]com
  • istaller-zoom[.]com
  • Noteepad.hasankahrimanoglu[.]com[.]tr

“The phishing websites further download an installer file disguised as a legitimate installer downloading the respective applications. When installing the respective application, it also silently installs the stealer malware without the user’s knowledge.” (Cyble)

The data at risk of being stolen by the Rhadamanthys Stealer includes but is not limited to:

  • System information (computer name, username, OS version, RAM, CPU information, HWID, time zone, user and keyboard language, etc)
  • Browsing history
  • Bookmarks
  • Cookies
  • Auto-fills (names, passwords, credit card information, addresses, any personal details, etc)
  • Login credentials

To make matters worse, this malware also targets various crypto wallets, and crypto wallet browser extensions, and is built to gather information from them. As if cryptocurrency isn’t volatile enough.

Based on the stealer samples that Cyble worked with to conduct its research, the Rhadamanthys Stealer has been found to contain specific functionality to target the following  crypto wallets:

  • Armory
  • Binance
  • Bitcoin
  • Bytecoin
  • Electron
  • Qtum-Electrum
  • Solar wallet
  • WalletWasabi
  • Zap
  • Zecwallet Lite
  • Zcash

The stealer also targets various applications such as:

  • FTP clients (CoreFTP, WinSCP)
  • Email clients (Foxmail, Thunderbird, Outlook, TrulyMail, GmailNotifierPro)
  • File managers (Total commanders)
  • Password managers (RoboForm, KeePass)
  • VPN services (NordVPN, ProtonVPN, Windscribe VPN, OpenVPN)
  • Messaging applications (Tox, Discord, Telegram)

Rhadamanthys Stealer: Alive & Kicking

Rhadamanthys, a new strain of malware, is still currently active. As mentioned above, the malware utilizes social engineering scams such as malvertising and phishing to deploy the malicious software onto victims. Google Ads will (unknowingly) redirect users to deceptive websites and thus install malware onto the victim’s device, or the user will be targeted with phishing emails containing misleading attachments, potentially disguised as financial statements. 

When one Exploit Forum (a popular hacker forum) member started to advertise the new strain of malware, this is how they described it:

“A multi-functional stealer with power information-gathering functionality, the ability to bypass the Windows Antimalware Scan Interface (AMSI), and an easy to use command and control (C2) panel interface.”

NYSIC CAU Threat Report

One of the most interesting aspects of this malware is that, if it detects that it’s running on a virtual machine (a controlled environment) then it ceases its own execution. The malware then sits there, secretly in your system, waiting for an opportunity to strike, when it knows it won’t be detected, and when it knows it can do the most damage. So, even if you make an effort to secure your systems and data, while you may be less vulnerable, you’re not invincible. 

Strengthen your Protection

There are advanced AI technologies that we can utilize as part of our services to strengthen your protection. One example of this would be Trend Micro XDR, which doesn’t just scan your system for code but also monitors unusual behavior. This provides far more certainty when it comes to dismantling the attempts of cybercriminal opportunists and halts them from penetrating your systems and stealing your data.

For more detailed information on how this malware operates, check out Cyble’s article here:

Evasive Infostealer leveraging Phishing and Spam Campaigns for its Delivery

The Rhadamanthys stealer is just one example of a new and powerful malware threat. Visionaries aren’t the only ones that innovate, criminals can be just as inventive. Don’t take these risks lightly, and don’t underestimate these technologies; they’re developed to be disastrous, no matter who the victim may be, and know that emerging threats are always in the works.

“What kind of name is Rhadamanthys?”

Are you a fortune teller? Because we found ourselves wondering the exact same thing. As it turns out, Rhadamanthys was one of the three judges of the dead, according to Greek Mythology. These three judges would dictate how the dead would spend their eternity: in heaven, hell or “nothingness.” This mythology also inspired a character with the same name in the Saint Seiya anime series. The name is in no way easy to spell and in no way related to anything pleasant. So, if you’re shopping around for baby names, stay away.

What happens next?

There are a lot of risks that come with malware. Some of them include data theft, loss of reputation, financial loss, stolen credentials, client/employee danger, and more. Unfortunately, no business is immune. Especially for companies that have a lot of data, the risks are tenfold, making safeguarding it from cyber attacks especially critical.

How your business can stay safe

Computero greatly values the safety and security of all of our customers. We always use the best and most up-to-date methods to ensure that your company is always cybersafe; however, nothing is bulletproof and your vigilance remains relevant. We’ll work with your business to make sure that you always have the safest network and we make an effort to educate both executives and employees about what to look out for to avoid becoming a victim of cybercrime.

Always keep your devices and software up to date

At Computero, we manage updates for your operation system and any applications on your devices, including your web browser (i.e. Google Chrome) and more. Keeping these software and systems up to date reduces security vulnerabilities significantly.

Constant monitoring

Computero technicians have state of the art software to monitor your devices and network 24/7, 365 days a year. More often than not, we’ll be aware of any problems before you are.

Strong log in security and two step verification

Emphasize strong passwords and two-step verification to prevent any interference or unauthorized acquisition of data. Ensure that all of your employees have some sort of multi-factor authentication to verify their identity when logging into business accounts; preferably a physical security key, which is the safest form of 2FA available.

Cybersecurity Awareness

When businesses rely heavily on technology, one of the most crucial elements of the employee training process is cybersecurity awareness training. Many businesses tend to overlook this but with cyber attacks on the rise, having a solid understanding of digital risks is more imperative than ever. We firmly believe that every business should have at least some level of cybersecurity awareness education for their employees. Without it, your organization is much more likely to be exploited by hackers. 

90’s Movie Office Space Goes Reality

90’s Movie Office Space Goes Reality

In late December 2022, a software engineer in Seattle, Washington, was charged with stealing more than $300,000 from his former employer, Zulily. Ermenildo Valdez Castro, 28, allegedly adjusted prices of Zulily’s products and changed company code in order to “divert...

The Guardian Hit by Ransomware Attack

The Guardian Hit by Ransomware Attack

In mid-January 2023, The Guardian newspaper confirmed that it was hit by a ransomware attack back in December 2022. Hackers exploited the data of some UK-based employees. It also inhibited some of the functions of the media group. It was difficult for employees to...

JFK Taxi Scheme – Dispatch System Gets Hacked

JFK Taxi Scheme – Dispatch System Gets Hacked

By Mary Grlic The United States Department of Justice recently announced the arrest of two men for, “conspiring with Russian nationals to hack the taxi dispatch system at JFK airport.” The suspects, Daniel Abayev and Peter Leyman, both from Queens, New York, hacked...