Skip to content

Google Ad phishing campaign found distributing Rhadamanthys malware

  • by
  • 3 min read

Using Google Ads to redirect victims to phishing sites, threat actors are impersonating popular programs like AnyDesk, BlueStacks, Notepad++ and Zoom to distribute the Rhadamnthys malware strain. The malware also spreads via phishing emails that contain malicious attachments. 

Additionally, the malware string also targets several crypto wallets, including:

  • Armory
  • Binance
  • Bitcoin
  • Bytecoin
  • Electron
  • Qtum-Electrum
  • Solar wallet
  • WalletWasabi
  • Zap
  • Zecwallet Lite
  • Zcash

Samples were analysed by Cyble Research & Intelligence Labs (CRIL) researchers, who reported spotting specific functionality to target the aforementioned crypto wallets in addition to several others.

In the News: EU cops arrest 15 crypto scammers, shuts down 4 call centres

Phishing using Google Ads

The attack vector starts with an email containing a fake PDF statement file, including a download link for an executable for the malware. Other than this, the threat actors have also made a series of fake sites impersonating the programs as mentioned above.

Google Ad phishing campaign found distributing Rhadamanthys malware
Phishing emails sent with malicious PDF attachments. | Source: Cyble

Some of the domains observed in the campaign are as follows:

  • anydleslk-download.com
  • bluestacks-install.com
  • install-anydesk.com
  • install-anydeslk.com
  • install-zoom.com
  • istaller-zoom.com
  • noteepad.hasankahrimanoglu.com[.]tr
  • zoom-meetings-download.com
  • zoom-meetings-install.com
  • zoom-video-install.com
  • zoomus-install.com
  • zoomvideo-install.com

The downloads from these sites include a legitimate installer for the impersonated program. However, in addition to installing the program, the installer also silently installs an instance of the Rhadamanthys stealer.

There are several checks built into the installer to avoid detection. For example, the malware strain is instantly terminated if the installer detects it’s being run in a virtual environment.

Additionally, a stenography image is downloaded from a remote Command and Control (C2) server during installation. Researchers suspect the actual Rhadamanthys payload is encoded in this image. 

Once installed, the malware starts collecting system information by running Windows Management Instrumentation (WMI) queries. This can extract information like computer name, username, OS version, CPU and RAM information, HWDI, time zone, and OS and keyboard languages, among other things. 

Following this, the malware looks for installed browsers on the target machine and scans their directories for information like browser history, bookmarks, cookies, and login credentials. Targeted browsers include Brave, Chrome, CocCoc, Edge, Firefox, Opera Software, Pale Moon and Sleipnir5 among others. 

Google Ad phishing campaign found distributing Rhadamanthys malware
The Rhadamanthys C2 server. | Source: Cyble

Finally, the stealer also looks for any FTP and email clients, file managers, VPN programs and messaging applications to extract any data if possible. All stolen information is then sent to the attacker’s C2 server. 

There has been a recent rise in the use of Google Ads to propagate phishing campaigns and malware stealers. In December, Guardio Labs spotted threat actors impersonating popular programs using Google Ads to distribute the Racoon information stealer. CRIL researchers also spotted a similar campaign impersonating Zoom to distribute the IcedID malware using a similar propagation method. 

In the News: CNET is publishing AI-generated articles

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

  • >