November 6, 2024 at 05:56PM
Check Point Research has tracked a spear-phishing campaign, “CopyR(ight)hadamantys,” targeting hundreds of companies globally with emails claiming copyright infringement. The emails deliver the sophisticated infostealer Rhadamanthys, capable of stealing sensitive data. Attackers use automation to send these messages, often impersonating known brands in technology and entertainment industries.
### Key Takeaways from Meeting Notes on CopyR(ight)hadamantys
1. **Spear-Phishing Campaign Overview**:
– An extensive spear-phishing campaign has targeted hundreds of companies globally, using emails that falsely claim copyright infringement to deliver a sophisticated infostealer called Rhadamanthys.
2. **Tracking and Spread**:
– Check Point Research began monitoring these phishing emails in July as they spread across the Americas, Europe, and Southeast Asia, with a new domain used for each email.
– Hundreds of companies have been targeted, hinting at a potentially larger affected audience.
3. **Nature of Attack**:
– The emails aim to manipulate recipients into downloading Rhadamanthys by invoking feelings of guilt related to copyright violations.
– Impersonation of legal representatives from mainly tech (like Check Point) or media and entertainment industries is common, with around 70% of targeted companies in these sectors.
4. **Email Mechanics**:
– Each email contains requests to remove specific media, highlighted in a password-protected link that ultimately leads to a malicious download hosted on services like Dropbox or Discord.
– The downloaded archive includes a decoy document, a legitimate executable, and a malicious DLL (dynamic link library) containing Rhadamanthys.
5. **Characteristics of Rhadamanthys**:
– Rhadamanthys is recognized as one of the most advanced infostealers available on the Dark Web, with a renting cost of approximately $1,000, making it more expensive compared to other infostealers.
– Its modular design complicates detection, featuring a machine-learning-based OCR component, albeit with limitations.
6. **Targeting Cryptocurrencies**:
– The campaign appears financially motivated, particularly targeting cryptocurrency-related data, as evidenced by the inclusion of a specific dictionary related to Bitcoin wallet protection.
7. **Stealth Tactics**:
– A unique feature of this malware involves creating a larger version of itself on the victim’s system under the guise of a Firefox component. This larger file serves to alter its hash value to evade antivirus detection.
– Although this tactic can be effective, it presents practical challenges for attackers when dealing with file size limitations in email systems.
8. **Recommendations for Defense**:
– Organizations should prioritize enhancing phishing protection to combat this campaign.
– Monitoring and implementing rules regarding the download of large files from emails could be beneficial in identifying possible threats, even though distinguishing between legitimate and malicious large files can be challenging.
### Action Items:
– Increase awareness and training among employees regarding phishing emails and suspicious attachments.
– Review and tighten security protocols related to large file downloads from emails.
– Consider updates to antivirus systems and monitoring techniques to better detect and handle modified or oversized files.