Fake Copyright Infringement Emails Spread Rhadamanthys

Hundreds of companies across the globe have been targeted by spear-phishing emails alleging copyright infringement, which in reality deploy an infostealer. Attackers are exploiting victims’ deep-rooted fear of facing consequences to propagate the sophisticated stealer globally as they did in Rhadamanthys.

Beginning in July, Check Point Research started monitoring these emails as they proliferated across the Americas, Europe, and Southeast Asia. Each instance originated from a new domain. Hundreds of its customers have been targeted, suggesting that the campaign’s actual impact could be much more extensive.

Rhadamanthys
Source: ThreatDown

The purpose of these emails is to lure victims burdened with guilt into downloading Rhadamanthys. A highly advanced infostealer that can steal anything from nation-state secrets to cryptocurrency wallet passphrases.

CopyR(ight)hadamantys

In the “CopyR(ight)hadamantys” campaign, each email originates from a unique address. Which suggests that an automated system is likely responsible for their distribution. This automation can be problematic at times—such as when an Israeli recipient receives an email written mostly in Korean—and it hinders the emails’ ability to effectively mimic well-known brands.

Each appears to originate from legal representatives of particular, well-known companies. Nearly 70% of these companies belong to the technology sector—including Check Point itself—or the media and entertainment industries.

The types of brands impersonated align seamlessly with the narrative spun by the attackers, which claims that recipients have uploaded content on social media infringing upon copyrights. “I assume everyone has done it to some degree in his life,” notes Sergey Shykevich, threat intelligence group manager at Check Point. “It prompts people to pause and wonder, ‘Did I use an unauthorized image? Did I accidentally copy text?’ Even if you haven’t.”

Recipients are instructed to delete certain images and videos, with the specifics enclosed in a password-protected file. This file is essentially a link that leads users to download an archive from Dropbox or Discord. Inside this archive, there is a decoy document along with both a genuine executable and a harmful dynamic link library (DLL) housing the Rhadamanthys stealer.

Things to Know About Rhadamanthys

Rhadamanthys is a widely recognized and highly effective information-stealing tool. According to Shykevich, “It stands out as the most advanced of all infostealers available for purchase on the Dark Web.” Unlike other infostealers that usually rent for between $100 and $200, Rhadamanthys commands a higher price point at approximately $1,000. Its design is far more modular and intricate; it employs sophisticated obfuscation techniques that make its deployment and concealment particularly challenging to detect.

The latest version 0.7 of Rhadamanthys includes a somewhat outdated machine-learning-based optical character recognition (OCR) feature. While it’s not cutting-edge artificial intelligence (AI), as it struggles with multi-colored text, cannot decipher handwriting, and only recognizes the most common fonts, it still assists the malware in extracting data from static documents like PDFs and images.

In the CopyR(ight)hadamantys software, the OCR component is equipped with a dictionary containing 2,048 words related to Bitcoin wallet protection codes. This implies that the attackers may be targeting cryptocurrencies, which aligns with their broad focus typical of financially driven campaigns. Recently, Rhadamanthys has also been linked to nation-state threat actors such as Iran’s Void Manticore and the pro-Palestine group “Handala.”

One Strange Stealth Feature

Organizations aiming to protect themselves from CopyR(ight)hadamantys should begin by implementing phishing defenses. However, there’s an additional aspect of the campaign that deserves attention.

Upon reaching the system, the harmful DLL creates a much larger version of itself in the victim’s Documents folder. By disguising it as a Firefox component. Although this new file is functionally identical to its predecessor, it is considerably bulkier due to an “overlay”—extraneous data serving two main purposes. The first purpose is altering the file’s hash value. It helps evade detection by antivirus software that often relies on hashes to identify malware.

Some antivirus programs choose not to scan very large files. Shykevich explains that this is because scanning massive game-related files, which can be several gigabytes in size, creates a heavy processing load. Following this logic, cybercriminals might deliberately create an excessively large Rhadamanthys file to elude detection. However, he notes that “it’s not extremely common because handling such enormous files isn’t convenient for attackers either. Many email systems have limits on attachment sizes—typically no more than 20MB—so they would need to direct the victim elsewhere online.” Therefore, while it’s a tactic used by some hackers, it’s far from foolproof or universally effective.

Organizations may want to identify any unusually large files that employees are downloading from emails. “This isn’t straightforward, as there are numerous legitimate reasons for some files to be substantial,” he explains. “However, I believe it’s feasible to establish some effective guidelines for permissible downloads.”

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *