Adrian Johnson
TLDR:
– The RHADAMANTHYS information stealer targeting Israeli users is a sophisticated cybercampaign originating from Russian-speaking cybercriminals.
– The malware uses a Hebrew phishing email as a social engineering tactic to steal login credentials through a malicious RAR archive attachment.
A newly surfaced cybercampaign targeting Israeli users has thrust the sophisticated RHADAMANTHYS information stealer into the spotlight. Originating from Russian-speaking cybercriminals and offered as a Malware-as-a-Service, RHADAMANTHYS excels at data exfiltration. Recent samples and in-depth analysis reveal a complex infection chain and extensive payload capabilities, highlighting the evolving threat landscape and underscoring the need for robust defenses against this potent malware.
Phishing Email The attack employs a social engineering tactic, using a Hebrew phishing email disguised as a legitimate notification from Calcalist and Mako. An email leverages urgency and fear of legal repercussions by falsely claiming copyright infringement, prompting immediate action, which manipulates user psychology to bypass security measures by exploiting time pressure and anxiety about potential legal trouble.
RAR archive attachment: A malicious email containing a locked RAR archive was encountered. Upon extraction, a suspicious executable named “תמונות מפרות זכויות יוצרים.exe” with SHA256 hash A7DBBAD8A1CD038E5AB5B3C6B1B312774D808E4B0A2254E8039036972AC8881A was discovered. It measures 1,804,072 bytes, is likely malicious, and requires further analysis in a controlled environment to determine its exact functionality and potential harm.
According to the researcher, the malware persists through registry modification, exfiltrates sensitive data, including credentials, browsing history, cryptocurrency information, and system details, and communicates with its C2 server using encrypted traffic over HTTPS and a non-standard port. The YARA rule tries to find possible RHADAMANTHYS stealer malware by looking for certain strings, a common code pattern, and file characteristics using a mix of text and hexadecimal patterns that match the malware’s features.
To mitigate the threat, organizations should prioritize email security through robust filtering and sandboxing, enhance user awareness with phishing training, deploy advanced endpoint protection, segment networks, regularly backup critical data, enforce patch management, restrict application execution, and implement multi-factor authentication.
