A large-scale phishing campaign, initially identified in July 2024, is leveraging false copyright infringement claims to infiltrate users’ systems with a potent new version of the Rhadamanthys info-stealer malware targeting North America, Europe, Middle East, East Asia, and South America. The tactics involve fake copyright infringement emails, file obfuscation, and an upgraded optical character recognition (OCR) feature to evade detection and extract sensitive data.
The attackers impersonate prominent companies, sending emails from various Gmail accounts that claim recipients have violated copyright policies on their Facebook pages. These emails direct targets to download a password-protected archive, where, upon extraction, a sophisticated chain of infection begins through DLL sideloading, leading to the installation of the Rhadamanthys 0.7 malware.
Phishing emails are designed to seem urgent and credible. They are often tailored to the recipient’s language, but researchers have found occasional errors. For instance, one email intended for an Israeli recipient was mistakenly sent in Korean.
Researchers believe that artificial intelligence (AI) tools are used to create these phishing scams and accounts.
Approximately 70% of the companies impersonated in these emails belong to the entertainment, media, technology, and software sectors, which are frequently involved in copyright-related communications.
“Almost 70% of the impersonated companies are from the Entertainment /Media and Technology/Software sectors. This is possibly due to the fact that those sectors have a high online presence and are more likely to send such requests than other sectors. These high-profile sectors also have frequent copyright-related communications, making such phishing attempts appear more credible,” researchers explained.
The infection chain begins when the targeted user opens the password-protected archive containing a mix of legitimate and malicious files. When executed, these files use DLL sideloading, a technique where a legitimate program inadvertently loads a malicious DLL.
This installs Rhadamanthys 0.7, the latest version of the malware, which writes a modified DLL into the Documents folder under the guise of a Firefox-based component, evading detection through subtle changes in file structure.
A standout feature of Rhadamanthys 0.7 is an OCR module designed to scan documents for phrases commonly used in cryptocurrency wallet security, specifically phrases related to Bitcoin Improvement Proposal 39 (BIP39).
The malware uses traditional machine learning for OCR, allowing it to read basic text but limiting it to clear, typed fonts and popular image formats like BMP, JPEG, PNG, and TIFF. This shows how attackers incorporate older but reliable AI techniques to enhance their malware’s data-extraction capabilities.
Researchers discovered that the infection progresses through multiple stages, each focusing on a specific objective. Stage 1 establishes the initial foothold, while Stage 2 initiates anti-detection routines, connecting to the command-and-control (C2) to download the final, data-stealing modules in Stage 3. This stage also includes a new OCR feature that recognises specific phrases within images and PDF files, which are then analysed for phrases linked to cryptocurrency security.
The final steps involve storing this phrasing within the malware’s infrastructure, allowing for potential future attacks on cryptocurrency wallets. The attackers seem to focus on gathering sensitive information that could later be used for financially motivated cybercrime rather than espionage.
In the News: Tech support scammers target eBay customers using Google Ads