November 7, 2024 at 05:04AM
A phishing campaign named CopyRh(ight)adamantys is exploiting copyright themes to distribute the Rhadamanthys information stealer across various global regions. The attackers impersonate well-known companies and use sophisticated methods, including AI for targeted spear-phishing. Additionally, the SteelFox malware, posing as legitimate software, targets users worldwide through malicious links and data theft.
**Meeting Takeaways:**
1. **Phishing Campaign Overview:**
– An ongoing phishing campaign named CopyRh(ight)adamantys is leveraging copyright themes to distribute a new version (0.7) of the Rhadamanthys information stealer since July 2024.
– The campaign targets the United States, Europe, East Asia, and South America, with focused impersonation of companies primarily in the Entertainment/Media and Technology/Software sectors.
2. **Attack Methodology:**
– Campaign utilizes spear-phishing tactics, sending emails from varied Gmail accounts that impersonate well-known companies’ legal representatives.
– Emails accuse recipients of copyright violations and instruct them to remove content, with a download link to a password-protected file that actually leads to malicious content.
3. **Rhadamanthys Payload:**
– The attachment includes a legitimate executable and a malicious DLL containing the stealer payload, leading to compromise once executed.
4. **Cybercrime Attribution:**
– Check Point associates this campaign with a financially motivated cybercrime group rather than state actors, citing sophisticated AI usage and extensive global targeting.
5. **SteelFox Malware Introduction:**
– Kaspersky has introduced SteelFox, a crimeware bundle available through online forums and masquerading as legitimate software, affecting users globally since February 2023.
– The malware exploits known vulnerabilities in Windows services and drivers to harvest sensitive data, including credit card information.
6. **Technical Characteristics:**
– SteelFox employs a dropper application that requires admin access to drop malicious components and establish persistence, ultimately launching a miner that also connects to remote servers for data exfiltration.
7. **Advanced Techniques:**
– The malware combines advanced C++ development with secure communications (TLS 1.3) and effective data harvesting methods, showcasing the evolution of cyber threats.
**Next Steps:**
– Continue monitoring both campaigns for developments and potential impacts on the organization.
– Enhance cybersecurity training to educate employees about recognizing sophisticated phishing attempts.
– Evaluate security measures in place related to software installation and driver vulnerabilities.