December 18, 2023 at 09:39AM
Developers continue to enhance Rhadamanthys malware, broadening its capabilities and incorporating a plugin system for customization. Deployed through malicious sites, the malware harvests sensitive information from compromised hosts. Check Point’s analysis reveals its evolution into a potent threat, with a new plugin system allowing customized deployment. Similar to Rhadamanthys, AsyncRAT uses legitimate processes for stealthy deployment via phishing attacks. This backdoor has anti-analysis checks, persistence installation, keylogging, and crypto wallet scanning capabilities. Threat actors utilize Dynamic DNS to obfuscate their activities.
Key Takeaways from Meeting Notes:
1. Rhadamanthys, an information stealer malware, is consistently being enhanced
– The developers are expanding its data collection abilities and implementing a plugin system for greater customization
– It is distributed under the malware-as-a-service (MaaS) model by an actor known as “kingcrete2022”
2. Characteristics and Capabilities of Rhadamanthys
– Capable of harvesting a wide range of sensitive information from compromised hosts, including from web browsers, crypto wallets, email clients, VPN, and instant messaging apps
– Version 0.5.2 is the current working version, with versions 0.5.0 and 0.5.1 indicating the addition of a plugin system, making it more versatile
– The stealer components can both actively open processes and passively search and retrieve specific files for credentials
– Utilizes a Lua script runner to extract information from various sources, including cryptocurrency wallets, email agents, FTP services, VPNs, and more
– Version 0.5.1 incorporates clipper functionality and the recovery of Google Account cookies
3. Ongoing Development and Evolution
– Continual enrichment of features, transitioning from being solely a stealer to a multipurpose bot, with plans to enable the loading of multiple extensions created by distributors
– Inclusion of a keylogger and system information collection, indicating a shift towards becoming a general-purpose spyware
4. AsyncRAT Infection Chains
– Trend Micro detailed new AsyncRAT infection chains that leverage a legitimate Microsoft process called aspnet_compiler.exe
5. Capabilities and Characteristics of AsyncRAT
– Stealthily deploys the remote access trojan (RAT) via phishing attacks, culminating in contact with a command-and-control (C2) server
– Includes anti-debugging and analysis checks, persistence installation, keylogging, and scanning for specific data within application directories and user data
– Reliance on Dynamic DNS (DDNS) to deliberately obfuscate threat actor activities
Overall, the meeting notes highlight the continual evolution and expansion of capabilities in both Rhadamanthys and AsyncRAT, demonstrating a trend towards greater customization and the integration of a wider range of features and functionalities to suit the specific needs of the threat actors and distributors.