Research (Insikt)

Rhadamanthys Stealer Adds Innovative AI Feature in Version 0.7.0

Posted: 26th September 2024
By: Insikt Group®

insikt-group-logo-updated-3-300x48.png

Summary

Rhadamanthys, an advanced information stealer first identified in 2022, has undergone rapid updates, with version 0.7.0 introducing AI-driven capabilities for extracting cryptocurrency seed phrases from images. This malware targets credentials, system information, and financial data, using sophisticated evasion techniques like MSI installer disguise. The malware continues to be sold on underground forums despite bans for targeting specific regions. Mitigation strategies include mutex-based kill switches and various detection techniques, such as Snort and Sigma rules.



Rhadamanthys Stealer Adds Innovative AI Feature in Version 0.7.0

Rhadamanthys, an advanced information stealer first identified in 2022, has rapidly evolved into one of the most formidable tools in the cybercriminal landscape. Despite bans from underground forums for targeting entities within Russia and the former USSR, this malware remains active and dangerous, sold at prices starting at $250 for a 30-day license.

Insikt Group’s latest analysis of Rhadamanthys Stealer v0.7.0 highlights its new and advanced features, including its use of artificial intelligence (AI) for optical character recognition (OCR). This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in cryptocurrencies. The malware can recognize seed phrase images on the client side and send them back to the command-and-control (C2) server for further exploitation.

Additionally, the malware has introduced a defense evasion technique using Microsoft Software Installer (MSI) files, which are often seen as trustworthy by conventional detection systems. This method allows attackers to execute malicious payloads without raising immediate red flags in security protocols.

Key Features and Capabilities:

1. Credential and Data Theft: Rhadamanthys targets a broad range of sensitive information, including credentials from browsers, system information, cookies, cryptocurrency wallets, and application data. It is highly adaptable, supporting a variety of extensions for additional malicious activity on compromised systems.

2. AI-Powered Image Recognition: The standout feature in version 0.7.0 is its integration of OCR technology. This innovation enables Rhadamanthys to automatically extract cryptocurrency wallet seed phrases from images, making it one of the first stealers to use AI in this way. The malware detects images containing seed phrases on the infected machine and exfiltrates them to the C2 server for further processing.

3. Evasion Through MSI Installers: To evade detection, Rhadamanthys now allows attackers to deploy malware using MSI packages, typically associated with legitimate software installations. By leveraging this method, attackers can bypass many conventional detection systems that do not flag MSI files as malicious.

The Growing Threat

Rhadamanthys is becoming increasingly popular due to its ease of use and constant updates. Sold openly on dark web forums like Exploit and XSS, the malware has been actively targeting regions in North and South America, with a particular focus on cryptocurrency wallets and user credentials.

The malware’s developer, known by the alias “kingcrete2022”, has faced bans on some underground forums for allegedly targeting Russian entities. However, this has not deterred their activities, as they continue to advertise Rhadamanthys via private messaging platforms like TOX and Telegram.

Mitigation Strategies

Insikt Group has developed several detection strategies and even a "kill switch" to prevent Rhadamanthys from executing on a system.

1. Mutex-Based Kill Switch: By setting known Rhadamanthys mutexes on a non-infected machine, organizations can create a kill switch that prevents the malware from running its stealers and extensions. This is a proactive way to vaccinate systems against current Rhadamanthys infections.

2. Advanced Detection Rules: Insikt Group has developed Sigma, Snort, and YARA detection rules to identify Rhadamanthys activity. These rules target the malware’s MSI file execution and re-execution delay feature, among others, to give security teams a fighting chance against this evolving threat.

3. Endpoint Protection: Deploying endpoint detection and response (EDR) solutions and implementing least-privilege access across systems are critical when protecting against Rhadamanthys. Ensuring multi-factor authentication (MFA) for access to sensitive systems can help mitigate the impact of stolen credentials.

Outlook

Rhadamanthys continues to evolve at a rapid pace, with the next version (0.8.0) already in development. The introduction of AI features, such as seed phrase extraction, is a glimpse into the future of information stealers leveraging machine learning to enhance their effectiveness. While the current mitigation strategies are effective against Rhadamanthys v0.7.0, future versions are likely to include even more advanced capabilities, necessitating continuous updates to detection techniques.

To read the entire analysis, click here to download the report as a PDF.

Related