{"id":24051,"date":"2024-02-28T11:13:16","date_gmt":"2024-02-28T19:13:16","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/02\/28\/news-17781\/"},"modified":"2024-02-28T11:13:16","modified_gmt":"2024-02-28T19:13:16","slug":"news-17781","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/02\/28\/news-17781\/","title":{"rendered":"One year later, Rhadamanthys is still dropped via malvertising"},"content":{"rendered":"\n<p>It was just a little over a year ago that the Rhadamanthys stealer was first <a href=\"https:\/\/malware-traffic-analysis.net\/2023\/01\/03\/index.html\">publicly seen<\/a> distributed via malicious ads. Throughout 2023, we observed a continuation in malvertising chains related to software downloads.<\/p>\n<p>Fast forward to 2024 and the same malvertising campaigns are still going on. After a lull last summer, we noticed an increase since the fall which so far has been sustained. The most recent targeted searches are for Parsec and FreeCad, followed by WinSCP, Advanced IP Scanner, Slack and Notion.<\/p>\n<p>Threat actors are targeting business users with payloads such as FakeBat, Nitrogen or Hijackloader. One other malware family we have seen here and there is Rhadamanthys. In this blog post, we detail the latest distribution chain related to this malware.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-key-points\">Key points<\/h2>\n<ul>\n<li>Rhadamanthys is an infostealer distributed via malspam and malvertising.<\/li>\n<li>Google searches for popular software such as Notion return malicious ads.<\/li>\n<li>Threat actors are using decoy websites to trick users into downloading malware.<\/li>\n<li>The initial payload is a dropper that retrieves Rhadamanthys via a URL pasted online.<\/li>\n<li>The TexBin paste site shows the URL was seen\/accessed 8.5K times.<\/li>\n<\/ul>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"618\" height=\"335\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image_2a771d.png\" alt=\"\" class=\"wp-image-105447\" \/><\/figure>\n<h2 class=\"wp-block-heading\" id=\"h-malicious-ad\">Malicious ad<\/h2>\n<p>Threat actors continue to impersonate well-known brands via sponsored search results. As can be seen below in a search for Notion (productivity software), an extremely deceiving ad is shown. Because it includes the official logo and website for Notion, most users will not think twice and click on the link.<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"718\" height=\"382\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image_44be5b.png\" alt=\"\" class=\"wp-image-105424\" \/><\/figure>\n<p>While the ad looks real on the surface, the Google Ads Transparency Center <a href=\"https:\/\/adstransparency.google.com\/advertiser\/AR11560428978590187521?origin=ata&amp;region=anywhere\">page<\/a> (which can be accessed by clicking on the menu right next to the ad&#8217;s URL) shows this ad was created by a certain &#8216;BUDNIK PAWE\u0141&#8217; from Poland. According to the same report, the first ad first appeared on <a href=\"https:\/\/adstransparency.google.com\/advertiser\/AR11560428978590187521?origin=ata&amp;region=anywhere&amp;start-date=2024-01-23&amp;end-date=2024-01-23\">January 23, 2024<\/a>.<\/p>\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1036\" height=\"552\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image_47f25a.png?w=1024\" alt=\"\" class=\"wp-image-105425\" \/><\/figure>\n<p>As a matter of fact, we have been tracking this fraudulent advertiser for a few weeks and had reported it to Google in early February, when we first ran into it. At the time, victims who clicked the ad and visited the site were tricked with a download for NetSupport RAT.<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"577\" height=\"207\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image_c20ef6.png\" alt=\"\" class=\"wp-image-105431\" \/><\/figure>\n<p>In this more recent campaign, the threat actor is pushing Rhadamanthys as the final payload, after an initial dropper. In the web traffic seen below, we can see that the threat actor uses a number of redirects to evade detection. URL shorteners and redirectors are quite common for the initial ad click, often followed by an attacker-controlled domain responsible for cloaking traffic.<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"683\" height=\"187\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image_c47cda.png\" alt=\"\" class=\"wp-image-105427\" \/><\/figure>\n<p>There is one more check within the browser via JavaScript to detect virtual machines before the actual landing page is displayed to the victim.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-landing-page-and-payload\">Landing page and payload<\/h2>\n<p>The landing page is the decoy site that victims will see after they click on the ad. Apart from the URL in the address bar, it looks very similar to the official web site for Notion, although somewhat simplified. There are two download buttons, one for Mac and the other for Windows.<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"935\" height=\"668\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image_14493a.png\" alt=\"\" class=\"wp-image-105481\" \/><\/figure>\n<p>The Mac payload (<a href=\"https:\/\/www.virustotal.com\/gui\/file\/524bfcd8f118c7bb98881e9907e354268911d8fe50c3262cb3d7cec62336d9ab\/detection\">Notion.dmg<\/a>) is a new variant of Atomic Stealer. Thanks to Luis Castellanos from Block for sharing a sample with us.<\/p>\n<p>The Windows binary is a signed file but its digital signature is not valid. The name of the signer that shows here is from the inventor of PuTTY, a popular admin tool. This digital certificate is likely fake or was revoked, but it may evade detection in some cases.<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"398\" height=\"462\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image_06f85c.png\" alt=\"\" class=\"wp-image-105433\" \/><\/figure>\n<p>This dropper contacts the paste site <em>TextBin<\/em> where it retrieves a URL for the followup payload, Rhadamanthys. If the numbers are correct this unlisted paste was viewed 8.5k times already.<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"732\" height=\"675\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image_9c801e.png\" alt=\"\" class=\"wp-image-105429\" \/><\/figure>\n<p>Rhadamanthys attempts to steal credentials stored in applications such as PuTTY, WinSCP and mail programs (screenshot from <a href=\"https:\/\/www.joesandbox.com\/analysis\/1399306\/0\/executive\">Joe Sandbox<\/a>):<\/p>\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1028\" height=\"443\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image_6e941c.png?w=1024\" alt=\"\" class=\"wp-image-105455\" \/><\/figure>\n<p>Upon execution, Rhadamanthys reports to its command and control server, sends and receives data.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"343\" height=\"183\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image_03c54f.png\" alt=\"\" class=\"wp-image-105435\" \/><\/figure>\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2>\n<p>Not a lot has changed with malvertising campaigns focused on software downloads as we enter the second year of actively tracking them. Sponsored search results continue to be highly misleading due to the fact that any verified individual is able to impersonate popular brands by using their logo and official site within the ad itself.<\/p>\n<p>We are aware of reports shared within private circles, that businesses were compromised after an employee clicked on a malicious ad. Follow-up activities post infection include the usual &#8216;pentesting tools&#8217; that precede a company-wide breach or ransomware deployment.<\/p>\n<p>The infrastructure used in this particular attack was reported to the relevant parties. <a href=\"https:\/\/www.malwarebytes.com\/\">Malwarebytes<\/a> and <a href=\"https:\/\/www.threatdown.com\/\">ThreatDown<\/a> customers are protected against the payloads and distribution sites.<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"770\" height=\"476\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image_d5d5f3.png\" alt=\"\" class=\"wp-image-105477\" \/><\/figure>\n<p>Additionally, EDR customers who have <a href=\"https:\/\/www.malwarebytes.com\/cybersecurity\/business\/dns-security-for-your-small-business\">DNS Filtering<\/a> can proactively block online ads by enabling the rule for advertisements. This is a simple, and yet powerful way to prevent malvertising across an entire organization or in specific areas.<\/p>\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" width=\"1187\" height=\"639\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image_814abe.png?w=1024\" alt=\"\" class=\"wp-image-105465\" style=\"width:1200px;height:auto\" \/><\/figure>\n<p>Endpoint users will see a customizable message when they click on an ad such as those that appear on a search engine results page:<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"934\" height=\"600\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image_fbe6d2.png\" alt=\"\" class=\"wp-image-105466\" \/><\/figure>\n<h2 class=\"wp-block-heading\" id=\"h-indicators-of-compromise\">Indicators of Compromise<\/h2>\n<p>Malvertising chain<\/p>\n<pre class=\"wp-block-preformatted\">pantovawy.page[.]link cerisico[.]net notione.my-apk[.]com alternativebehavioralconcepts[.]org<\/pre>\n<p>Dropper<\/p>\n<pre class=\"wp-block-preformatted\">6f4a0cc0fa22b66f75f5798d3b259d470beb776d79de2264c2affc0b5fa924a2<\/pre>\n<p>Dropper IP<\/p>\n<pre class=\"wp-block-preformatted\">185[.]172[.]128[.]169<\/pre>\n<p>Rhadamanthys download URL<\/p>\n<pre class=\"wp-block-preformatted\">yogapets[.]xyz\/@abcmse1.exe birdarid[.]org\/@abcnp.exe<\/pre>\n<p>Rhadamanthys<\/p>\n<pre class=\"wp-block-preformatted\">e179a9e5d75d56140d11cbd29d92d8137b0a73f964dd3cfd46564ada572a3109 679fad2fd86d2fd9e1ec38fa15280c1186f35343583c7e83ab382b8c255f9e18<\/pre>\n<p>Rhadamanthys C2<\/p>\n<pre class=\"wp-block-preformatted\">185[.]172[.]128[.]170<\/pre>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2024\/02\/one-year-later-rhadamanthys-is-still-dropped-via-malvertising\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> Infostealers like Rhadamanthys continue to be a favorite among malware distributors who leverage search engine ads to lure victims. <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10531,3764,30959,19665,12040],"class_list":["post-24051","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-malvertising","tag-malware","tag-rhadamanthys","tag-stealer","tag-threat-intelligence"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24051","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24051"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24051\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24051"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24051"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24051"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}