The CopyRh(ight)adamantys phishing campaign has been ongoing since July 2024, using themes of copyright infringement to trick users into downloading the Rhadamanthys information stealer, version 0.7. This campaign targets regions such as the United States, Europe, East Asia, and South America.

• Deceptive Tactics: Emails are sent from various Gmail accounts, each tailored to impersonate different companies, especially within the Entertainment/Media and Technology/Software sectors, and are customized for each targeted entity’s language and content.
• Advanced Malware: Rhadamanthys v0.7 now includes AI-based optical character recognition (OCR) capabilities, improving its data-extraction efficiency.
• Related Campaigns: Check Point identified overlaps with a campaign previously reported by Cisco Talos, which targeted Facebook business and advertising account users in Taiwan, deploying either the Lumma or Rhadamanthys malware.

This campaign exemplifies how cybercriminals adapt to modern technologies, leveraging AI tools and social engineering to enhance the effectiveness of their operations. It underscores the need for heightened vigilance, robust email filtering, and employee training on identifying potential phishing schemes.

Attack Chain Details:

• Spear-Phishing Emails: These are carefully crafted to appear as though they come from legal representatives of prominent companies, particularly within sectors prone to copyright issues. The emails claim that the recipients have infringed on copyright by misusing brand content on social media.
• False Allegations: The emails accuse victims of violating copyrights and demand that they remove alleged infringing images or videos.
• Attachment with Malicious Intent: The email contains a link to a password-protected file purportedly holding the removal instructions. This file is actually hosted on appspot.com and is linked to the sender’s Gmail account.
• Redirect to Malware: Clicking the link redirects the recipient to download a password-protected archive from Dropbox or Discord, with the password included in the email. This archive contains the Rhadamanthys information stealer.

The expanding landscape of cyber threats highlights how both established and newly emerging attack methods continue to leverage increasingly complex techniques:

CopyRh(ight)adamantys Campaign Details:

• Components of the Malicious Archive: The password-protected RAR archive sent to victims contains:
  1. Legitimate Executable: A program vulnerable to DLL side-loading.
  2. Malicious DLL: Contains the payload for the Rhadamanthys stealer.
  3. Decoy Document: Adds credibility to the attack by masking its true intent.
• Execution Mechanism: When the legitimate executable is run, it sideloads the malicious DLL, initiating the deployment of Rhadamanthys.
• Scale and Attribution: Check Point noted the potential use of AI tools to manage the scale and variety of the campaign’s lures and sender emails. The attackers’ approach points to a financially motivated cybercrime group, evident from the indiscriminate global targeting and diverse phishing tactics, not a nation-state operation.

Emergence of SteelFox Malware:

Parallel to the Rhadamanthys campaign, SteelFox represents another significant threat with a focus on financial gain and data exfiltration:

• Method of Distribution: Disseminated through forum posts, torrent trackers, and blog sites, posing as cracked versions of legitimate software like Foxit PDF Editor, JetBrains, and AutoCAD.
• Execution Chain:
  1. Dropper App: Masquerades as legitimate software and requests administrator access upon execution.
  2. Loader Deployment: Establishes persistence and activates the SteelFox DLL payload.
• Capabilities: Utilizes shellcoding to abuse Windows services and vulnerable drivers, enabling the theft of credit card information and device data.
• Geographic Impact: The campaign, dating back to February 2023, has affected users globally, with notable impacts in countries like Brazil, China, Russia, and Mexico, among others.

Implications and Defense Strategies:

• Proactive Monitoring: Organizations must enhance monitoring of their networks for signs of DLL side-loading and unauthorized use of vulnerable drivers.
• User Awareness: Educate users on the risks associated with downloading cracked or pirated software and recognizing phishing emails that pressure them into urgent actions.
• Endpoint Protection: Employ endpoint detection and response (EDR) tools capable of identifying suspicious DLL loading behavior and monitoring processes requesting elevated privileges.
• Zero-Day Vulnerability Defense: Ensure the latest security patches are applied to reduce exposure to vulnerabilities exploited by sophisticated campaigns like SteelFox.

Both CopyRh(ight)adamantys and SteelFox underline how cybercriminals adapt and escalate their tactics to outmaneuver traditional defenses, stressing the importance of a layered cybersecurity strategy and continuous vigilance.

The SteelFox malware exemplifies how attackers combine existing vulnerabilities and sophisticated coding techniques to execute complex, multi-stage attacks. Here’s a breakdown of its advanced tactics:

Exploitation Details:

• Abuse of Admin Access: The malware, once granted administrator privileges, sets up a service that utilizes an older, vulnerable version of WinRing0.sys, a Windows hardware access library.
• Exploited Vulnerabilities: The library is susceptible to CVE-2020-14979 and CVE-2021-41285, which allow attackers to escalate their privileges to NT\SYSTEM, the highest level of access in Windows.
• XMRig Miner Usage: This driver is known to be part of the XMRig mining software, indicating its dual-purpose role:
  • Miner Deployment: Once the driver is initialized, the malware runs a modified version of XMRig with junk code to avoid detection. This executable connects to a mining pool using hardcoded credentials to start mining cryptocurrency.
  • Source of Miner: The miner executable is fetched from a GitHub repository, indicating the attackers’ use of publicly accessible resources to distribute their tools.

Data Exfiltration and Communication:

• Remote Server Contact: The malware establishes a connection with a remote server using TLS version 1.3, ensuring encrypted data transfer. This makes interception by traditional security tools more difficult.
• Stolen Data:
  • Web Browser Data: Includes cookies, credit card information, browsing history, and records of visited sites.
  • System Information: Collects system metadata, installed software details, and timezone data.
• Secure Communication: The use of TLSv1.3 combined with SSL pinning ensures that communication with the command-and-control (C2) server is secure and difficult to intercept or disrupt.

Technical Sophistication:

• Modern C++ and External Libraries: The malware’s use of modern C++ programming with external libraries makes it more adaptable and powerful. This choice of coding allows efficient handling of complex operations and evasion techniques.
• Junk Code Fillers: The insertion of non-functional or redundant code within the executable helps bypass signature-based detection tools, enhancing the malware’s stealth capabilities.

Defensive Measures:

• Update and Patch Management: Organizations should ensure that any drivers or libraries in use are up-to-date and that known vulnerabilities like CVE-2020-14979 and CVE-2021-41285 are addressed.
• Endpoint Monitoring: Utilize advanced endpoint security solutions that can detect abnormal service creation and the presence of unauthorized or outdated drivers.
• Network Traffic Analysis: Implement monitoring for anomalous outbound traffic, especially encrypted traffic that could indicate data exfiltration.
• Web Access Controls: Restrict access to known sources of malicious software, such as repositories that may host mining executables.

Technical Details:

1. WinRing0.sys Vulnerabilities:

WinRing0.sys is a hardware access driver that has been found to contain security flaws which attackers can exploit for privilege escalation. The details for the key CVEs exploited are:

1. CVE-2020-14979

• This vulnerability is due to the way the driver handles I/O control (IOCTL) requests, allowing attackers to execute arbitrary code with SYSTEM privileges.
• CVSS Score: 8.2 (High)
• CWE: CWE-264 (Permissions, Privileges, and Access Controls)
• Impact: Privilege escalation due to insufficient validation of IOCTL requests.
• Remediation: Update to a version of the driver that has fixed the issue or restrict driver installation to trusted sources only.

1. CVE-2021-41285

• This vulnerability is associated with memory corruption issues within the driver, which can be exploited by attackers to elevate privileges.
• CVSS Score: 7.8 (High)
• CWE: CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
• Impact: Memory corruption leading to potential code execution at NT\SYSTEM level.
• Remediation: Apply patches or mitigations provided by the software vendor.

2. SteelFox Malware Capabilities and Technical Characteristics:

• Programming Language: Primarily written in modern C++, with external libraries for enhanced functionality.
• Execution Techniques:
  • DLL Side-Loading: Leveraging a legitimate executable to load a malicious DLL.
  • Shellcoding: Direct injection of code for execution, bypassing conventional detection mechanisms.
• Mining Component:
  • XMRig Miner: A modified version of XMRig is used for mining cryptocurrency.
  • Obfuscation: Junk code is added to avoid signature-based detection.

3. Communication and Data Exfiltration:

• Encryption:
  • TLS Version: Utilizes TLS 1.3 for secure communication with C2 servers.
  • SSL Pinning: Ensures that the connection to the server cannot be intercepted by common man-in-the-middle attacks.
• Data Targeted:
  • Cookies and credit card data from web browsers.
  • System Metadata: Details like system specifications, installed software, and time zone.

4. General Recommendations:

• Patching: Ensure all software, especially drivers like WinRing0.sys, is updated to avoid exploitation of known vulnerabilities.
• Application Control: Implement policies to restrict the execution of unauthorized drivers and executables.
• Privileged Access Management: Monitor and limit the use of administrator rights to prevent abuse by malware.
• Network Defense: Inspect network traffic for unusual encrypted outbound connections, especially those that may indicate data exfiltration.

Indicators of Compromise (IOCs):

1. File-Based IOCs:

• Malicious Executables:
  • Modified versions of legitimate software such as XMRig miner.
  • DLLs used for side-loading (e.g., malicious.dll containing the payload).
• Archives:
  • Password-protected RAR files attached to phishing emails.
• Dropper Files:
  • Executables masquerading as cracked versions of popular software (e.g., setup_FoxitEditor.exe, install_JetBrains.exe).

2. File Hashes (Examples):

• SHA-256/SHA-1/MD5 Hashes:
  • Hashes of the dropper executables, malicious DLLs, and modified mining software. (Note: Actual sample hashes need to be sourced from security reports or sandboxes like VirusTotal for real-world application.)

3. Network-Based IOCs:

• Domains and URLs:
  • Malicious links for download, often hosted on appspot.com, Dropbox, or Discord.
  • URLs linked to phishing emails that impersonate companies.
• C2 Server IPs and Domains:
  • Remote servers that communicate over TLS 1.3 for data exfiltration.
  • Example C2 patterns and hardcoded mining pool URLs.
• GitHub Repositories:
  • Repositories that might host malicious mining executables.

4. Email-Based IOCs:

• Sender Email Addresses:
  • Use of Gmail accounts that impersonate legal representatives of known companies.
• Email Subjects and Content:
  • Keywords related to copyright infringement, legal notices, or DMCA takedown requests.
• Phishing Templates:
  • Common patterns or language used in phishing emails (e.g., “Your content violates our terms, please review the attached file.”).

5. Behavioral IOCs:

• File Creation and Registry Changes:
  • Creation of services or processes with names mimicking legitimate applications.
  • Registry modifications for persistence (e.g., HKLM\Software\Microsoft\Windows\CurrentVersion\Run entries).
• Service Creation:
  • Services created using vulnerable WinRing0.sys for privilege escalation.
• Miner Behavior:
  • Unusual CPU or GPU usage indicating crypto mining activities.

6. Command and Control (C2) Communication:

• Protocol and Encryption:
  • Outbound connections using TLS 1.3 with SSL pinning.
• Observed Communication Patterns:
  • Frequent outbound requests to mining pools with hardcoded credentials.
  • Specific endpoints associated with credential and cookie exfiltration.

IMPACT:

1. Data Theft and Privacy Violation:

• Sensitive Data Exposure: Both campaigns involve stealing data such as cookies, credit card details, browsing history, and stored credentials from web browsers. This compromises personal and corporate privacy.
• Financial Information Theft: Users risk losing financial information, which can lead to unauthorized transactions and financial fraud.
• Intellectual Property and Confidential Information: Organizations may see their proprietary data and confidential information exposed or stolen.

2. Financial Loss:

• Direct Financial Impact: The theft of credit card data can result in immediate financial loss for individuals and organizations.
• Cryptocurrency Mining Costs: The SteelFox malware’s use of the XMRig miner leads to unauthorized cryptocurrency mining, which increases energy consumption and computing resource usage, driving up operational costs.
• Potential Fines and Penalties: Data breaches involving sensitive customer data may lead to regulatory fines and penalties, depending on the industry and applicable laws (e.g., GDPR, CCPA).

3. Operational Disruption:

• System Performance Issues: The presence of cryptocurrency mining software significantly degrades the performance of affected systems, impacting productivity and potentially disrupting critical operations.
• Resource Drain: Persistent mining and data exfiltration activities consume system resources, affecting business continuity.

4. Reputation Damage:

• Loss of Trust: Companies affected by data theft or malware breaches may experience damage to their reputation, resulting in lost business and decreased customer confidence.
• Brand Impersonation: The CopyRh(ight)adamantys campaign, which uses brand impersonation to conduct phishing, can harm the reputation of the impersonated brands.

5. Legal and Compliance Risks:

• Non-Compliance: Organizations failing to protect customer data may face legal action for non-compliance with data protection regulations.
• Potential Lawsuits: Data breaches can lead to class-action lawsuits from affected customers or partners.

6. Elevated Security Risks:

• Privilege Escalation: The use of vulnerabilities like CVE-2020-14979 and CVE-2021-41285 for privilege escalation poses an increased risk of deeper infiltration by attackers. Once SYSTEM-level privileges are obtained, attackers can bypass most security measures.
• Persistence and Advanced Capabilities: The combination of modern C++ with external libraries, SSL pinning, and TLS 1.3 encryption in SteelFox makes detection and response challenging, allowing attackers to maintain long-term access to compromised systems.

7. Broader Implications for Targeted Regions:

• Global Reach: The campaigns target victims across various regions, including the United States, Europe, East Asia, South America, and others. The widespread targeting indicates that organizations worldwide are at risk.
• Automated Tactics: The scale and automation of the phishing campaigns suggest attackers can impact a large number of victims simultaneously, increasing the potential for widespread damage.

RECOMMENDATIONS:

1. Patch and Update Vulnerable Systems

• Apply Security Patches: Ensure that systems are up-to-date with the latest security patches for both operating systems and third-party applications. Specifically, address vulnerabilities like CVE-2020-14979 and CVE-2021-41285 in WinRing0.sys and other known vulnerabilities that could be exploited for privilege escalation.
• Regular Driver and Software Updates: Ensure that hardware access libraries, drivers, and all software are kept up to date to minimize the chances of exploiting unpatched vulnerabilities.

2. Implement Endpoint Protection and Detection

• Endpoint Detection and Response (EDR): Use EDR solutions that can detect abnormal activities such as DLL side-loading, unusual system processes, or unauthorized service creation.
• Anti-Malware Solutions: Deploy reputable anti-malware and anti-virus software capable of detecting both known and new threats like Rhadamanthys and SteelFox.

3. Enhance Email Security and Awareness

• Phishing Protection: Employ advanced email filtering tools to detect phishing emails, particularly those containing password-protected archives or suspicious links. Consider using solutions like DMARC, DKIM, and SPF to authenticate email senders.
• User Education: Conduct regular security awareness training for employees and users, focusing on recognizing phishing attempts, especially those impersonating well-known brands or involving urgent legal action claims.

4. Network Monitoring and Defense

• Outbound Traffic Monitoring: Monitor network traffic for signs of encrypted traffic (e.g., TLS 1.3) used by C2 servers or mining pools. Implement network detection tools to flag anomalous patterns that could indicate data exfiltration or unauthorized mining activities.
• Secure Network Gateways: Use network security solutions such as firewalls, intrusion detection/prevention systems (IDS/IPS), and secure DNS to block access to known malicious IPs and domains linked to C2 servers or malicious file downloads.

5. Reduce Privilege Escalation Risks

• Limit Administrative Privileges: Implement the principle of least privilege (PoLP) to restrict access to critical system areas and resources. Regularly review and update administrative rights.
• Use Application Control: Apply application whitelisting and blocking of unauthorized applications to prevent malicious payloads like miners or stealer malware from executing.

6. Strengthen Web Application Security

• SSL Pinning: Employ SSL/TLS certificate pinning on applications and websites to prevent man-in-the-middle attacks and unauthorized interception of sensitive data.
• Web Application Firewalls (WAF): Deploy WAFs to block malicious requests and protect web-facing applications from attacks that attempt to exploit vulnerabilities.

7. Data Protection and Encryption

• Sensitive Data Protection: Encrypt sensitive data both at rest and in transit to protect it from unauthorized access in the event of an attack.
• Secure Backup and Recovery: Ensure that critical business data is backed up regularly and can be restored quickly in case of a breach.

8. Incident Response and Threat Hunting

• Incident Response Plan: Develop and regularly update an incident response plan that includes specific procedures for addressing malware infections, including Rhadamanthys and SteelFox.
• Proactive Threat Hunting: Conduct regular threat hunting activities to proactively identify malicious activity within your network, including monitoring for the presence of malicious executables, DLLs, and unauthorized services.

9. Use Multi-Factor Authentication (MFA)

• Implement MFA: For critical systems and accounts, enforce the use of multi-factor authentication to add an extra layer of protection against credential theft, especially for high-value targets like administrative or financial accounts.

10. Monitor and Control Third-Party Software

• Verify Software Sources: Ensure that all software installed on systems comes from trusted and verified sources. Avoid using pirated software or software from untrusted repositories that may include bundled malware.
• Third-Party Vendor Risk Management: Regularly evaluate the security posture of third-party vendors and service providers, particularly those whose software is used internally.