Figure 5 – Static file details of “Runtime Broker.exe” The additional information is shown in the figure below. Upon execution of the installer file, it creates a folder named “ST” in the %temp% location and drops two hidden binary executable files. Figure 4 – Process tree of malicious AnyDesk installing Stealer The below figure shows the process tree of the malicious AnyDesk installer deploying Rhadamanthys stealer. When installing the respective application, it also silently installs the stealer malware without the user’s knowledge. The phishing websites further downloads an installer file disguised as a legitimate installer downloading the respective applications. We have observed several phishing domains created to spread this malware. The link to these phishing websites spreads through Google ads. The TAs behind this campaign also created a highly convincing phishing webpage impersonating legitimate websites to trick users into downloading the stealer malware, which carries out malicious activities. Figure 3 – Process tree of spam email downloads Stealer The figure below illustrates the process tree of the Rhadamanthys stealer that was delivered via a spam email. Upon execution of the “Jan-statement.exe” file, it runs the stealer and allows it to steal sensitive information from the victim’s machine. When a user clicks the “Download Update” link, it downloads a malware executable from an URL “https\\zolotayavitrinacom/Jan-statementexe” into the Downloads folder.
ANYDESK PORTABLE PDF
Figure 2 – PDF document with a download link When opening the attachment present in the spam email, it displays a message indicating it is an “Adobe Acrobat DC Updater” and includes a download link labelled “Download Update,” as shown below. Figure 1 – Spam Email with PDF Attachment The Rhadamanthys stealer infection starts through spam emails containing a PDF attachment named “Statement.pdf” as shown in the figure below. It can also spread via spam email containing an attachment for delivering the malicious payload.
ANYDESK PORTABLE SOFTWARE
Rhadamanthys stealer spreads by using Google Ads that redirect the user to phishing websites that mimic popular software such as Zoom, AnyDesk, Notepad++, Bluestacks, etc. Recently, we came across a new strain of malware called “Rhadamanthys Stealer.” This stealer variant is active, and the TA behind the malware stealer is selling this under the Malware as a Service (MaaS) model. Threat Actors (TAs) are increasingly using spam emails and phishing websites to trick users into downloading malware such as Stealer and Remote Access Trojan (RAT) to infect users’ machines and steal sensitive information.Ĭyble Research & Intelligence Labs (CRIL) is actively monitoring various stealer malware and publishing blogs about them to inform and educate its readers.
Evasive Infostealer leveraging Phishing and Spam Campaigns for its Delivery
0 kommentar(er)
