April 11, 2024 at 07:45AM
TA547, a threat actor, has initiated an invoice-themed phishing campaign targeting German organizations with the Rhadamanthys information stealer. This marks the first instance of TA547 using Rhadamanthys, possibly with a language model-generated PowerShell script. The group has also evolved into an initial access broker for ransomware attacks, employing geofencing tricks and evolving techniques.
Key takeaways from the meeting notes on Newsroom Endpoint Security / Ransomware are:
1. TA547 targeted German organizations using an information stealer called Rhadamanthys through an invoice-themed phishing campaign.
2. The threat actor has evolved into an initial access broker (IAB) for ransomware attacks and has been employing geofencing tricks to restrict payloads to specific regions.
3. The email messages impersonate the German company Metro AG and contain a password-protected ZIP file containing a remote PowerShell script to launch the Rhadamanthys stealer directly in memory.
4. The PowerShell script used to load Rhadamanthys includes “grammatically correct and hyper specific comments,” demonstrating the possibility of it being generated by a large language model (LLM) or copied from another source.
5. Phishing campaigns have been employing uncommon tactics such as using heavily obfuscated HTML content to run JavaScript code embedded within an SVG image to facilitate credential-harvesting attacks.
6. Social engineering campaigns have taken the form of malicious ads served on search engines to deploy malware like Nitrogen, IDAT Loader, and SectopRAT trojan.
7. Endpoint protection recommendations include restrictions on traffic coming from main and lesser known ad networks to protect against malicious ads.