SteelFox and Rhadamanthys Malware Exploit Copyright Scams and Driver Vulnerabilities to Attack Victims Globally

November 7, 2024

Check Point, a cybersecurity firm, is monitoring a large-scale cybercrime campaign named CopyRh(ight)adamantys, which targets victims in the United States, Europe, East Asia, and South America. The campaign impersonates various companies and sends each email from a unique Gmail account, tailoring the impersonated company and language to the entity being targeted. According to Check Point, "Almost 70% of the impersonated companies are from the Entertainment /Media and Technology/Software sectors."

This campaign is particularly noteworthy due to the deployment of version 0.7 of the Rhadamanthys stealer. This malware incorporates artificial intelligence (AI) for optical character recognition (OCR). The campaign is suspected to overlap with another one that targeted Facebook business and advertising account users in Taiwan to deliver Lumma or Rhadamanthys stealer malware.

The fraudulent emails, sent from Gmail accounts, allege to be from the legal representatives of the impersonated companies. They accuse the recipients of brand misuse on social media platforms and ask them to remove the related images and videos. According to Check Point, "The removal instructions are said to be in a password-protected file. However, the attached file is a download link to appspot.com, linked to the Gmail account, which redirects the user to Dropbox or Discord to download a password-protected archive (with the password provided in the email)." The RAR archive contains a legitimate executable vulnerable to DLL side-loading, the malicious DLL with the stealer payload, and a decoy document. After the binary is run, it sideloads the DLL file, leading to the deployment of Rhadamanthys.

Check Point attributes this campaign to a likely cybercrime group and suggests that the threat actors may have used AI tools given the scale of the campaign and the variety of lures and sender emails. The company stated, "The campaign's widespread and indiscriminate targeting of organizations across multiple regions suggests it was orchestrated by a financially motivated cybercrime group rather than a nation-state actor."

Simultaneously, Kaspersky discovered a new "full-featured crimeware bundle" named SteelFox, propagated via forums posts, torrent trackers, and blogs, masquerading as legitimate utilities like Foxit PDF Editor, JetBrains, and AutoCAD. The campaign, which started in February 2023, has affected victims globally, especially in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. It has not been attributed to any known threat actor or group. The malware uses sophisticated execution chains to abuse Windows services and drivers and extract victims' credit card data and device information. It exploits vulnerabilities in WinRing0.sys (CVE-2020-14979 and CVE-2021-41285) to obtain NTSYSTEM privileges and is also used for mining purposes. The malware also exfiltrates sensitive data from web browsers and system metadata over a secure connection.

Latest News

• Critical RCE Vulnerabilities Identified in HPE's Aruba Networking Access Points
• Cisco Patches Severe Vulnerability in URWB Access Points
• ToxicPanda Android Botnet Attacks Banks in Europe and Latin America
• Google Addresses Two Actively Exploited Android Zero-Days in November Security Updates
• Custom 'Pygmy Goat' Malware Targets Sophos Firewall in Government Network Attack