The emergence of a new infostealer malware called Rhadamanthys Stealer has raised concerns among cybersecurity experts. This malware has been observed spreading through Google Ads, posing a significant threat to users‘ sensitive information. Initial delivery of the malware occurs via spam emails containing a PDF attachment masquerading as an Adobe Acrobat DC Updater. Upon clicking the link within the PDF, the malware executable is downloaded from a specified URL, enabling it to carry out its data theft operations.
In addition to spam emails, the malware is also distributed through deceptive phishing webpages that imitate reputable websites. Google advertisements are utilized to promote links to these phishing websites, through which installer files are downloaded. This allows the Rhadamanthys Stealer to be covertly installed alongside legitimate applications.
The malware employs steganography techniques, concealing its payload within a hidden image retrieved from a remote server. This payload, known as CRIL, is decrypted using shellcode. Once active, Rhadamanthys Stealer collects various system data through WMI queries, including computer name, user name, operating system version, RAM and CPU information, HWID, time zone, user and keyboard language, among others.
Furthermore, the malware specifically targets browser-related files, such as browsing histories, bookmarks, cookies, and login credentials. It also focuses on extracting information from crypto wallets, as well as applications like FTP clients, email clients, password managers, and messaging platforms. Users are advised to exercise caution when dealing with spam emails, phishing websites, and to ensure the authenticity of sources before downloading any applications.
Key Takeaways
- Rhadamanthys Stealer is being distributed through spam emails with a PDF attachment that contains a download link for the malware.
- Google Ads are being used to promote links to phishing websites that distribute the malware.
- The malware uses steganography to download a payload and gather system data, including information about the user’s computer, browser-related data, and data from crypto wallets and various applications.
- Users should exercise caution with spam emails, phishing websites, and verify sources before downloading any applications.
How it Spreads
The spread of the new infostealer malware through Google Ads involves the utilization of deceptive phishing webpages and Google advertisements to promote links leading to phishing websites, where the malware is distributed through the download of installer files alongside legitimate applications. This method allows the malware to be discreetly installed on users‘ devices without their knowledge. To prevent the spread of infostealer malware, users should exercise caution with spam emails and phishing websites, verifying sources before downloading any applications. Additionally, cryptocurrency users should be particularly wary as this malware specifically targets crypto wallets, gathering sensitive data from them. Implementing prevention measures such as strong security practices, regularly updating software, and using reputable antivirus software can help mitigate the impact of infostealer malware on cryptocurrency users.
Methods of Distribution
Deceptive phishing webpages impersonating trustworthy websites and the use of Google advertisements are methods employed for the distribution of this malware. The malware distributors create phishing domains that mimic legitimate websites to trick users into visiting them. These phishing websites are designed to appear authentic and often contain enticing offers or urgent requests to lure users into clicking on malicious links. Additionally, Google ads are used to promote these phishing websites, making them more visible to users and increasing the chances of infection. This method of distribution poses a significant threat to user privacy, as unsuspecting users may unknowingly download and install the malware along with legitimate applications. Once infected, the malware can steal sensitive information, including browser-related data, crypto wallet information, and data from targeted applications. It is crucial for users to exercise caution when browsing the internet and to verify the authenticity of websites before interacting with them.
Data Gathering and Targets
Data gathering and targeting are key aspects of the malware’s operation. The Rhadamanthys stealer, spreading through Google Ads, collects a wide range of system data using WMI queries, including computer name, user name, OS version, RAM and CPU information, HWID, time zone, user and keyboard language, among others. Additionally, the malware targets browser-related files such as browsing histories, bookmarks, cookies, auto-fills, and login credentials from various browsers like Brave, Edge, Chrome, Firefox, and more. Notably, the malware is designed to target different crypto wallets, gathering sensitive data from them. Furthermore, it focuses on various applications such as FTP clients, email clients, file managers, password managers, VPN services, and messaging applications. Given its impact on the cryptocurrency industry, it is crucial for users to prioritize browser security measures to safeguard their sensitive information.
Frequently Asked Questions
How can users protect themselves from falling victim to the spam emails delivering the Rhadamanthys stealer malware?
To protect themselves from falling victim to spam emails delivering the Rhadamanthys stealer malware, users should implement protective measures such as strengthening email security protocols, being cautious with email attachments, and verifying the authenticity of the sender before downloading any applications.
What are some common signs that can help users identify deceptive phishing webpages?
Common signs that can help users identify deceptive phishing webpages include: mismatched or suspicious URLs, poor website design or grammar, requests for personal or financial information, absence of SSL certificates, and unexpected or urgent messages. User awareness and the importance of SSL play a crucial role in identifying and avoiding such phishing attempts.
Are there any specific browsers or applications that the stealer malware specifically targets?
The stealer malware targets various browsers such as Brave, Edge, Chrome, Firefox, Opera Software, Sleipnir5, Pale Moon, and CocCoc, as well as different applications including FTP clients, email clients, file managers, password managers, VPN services, and messaging applications. The impact of the malware varies on different platforms.
Is there any specific method used by the stealer malware to target and gather data from crypto wallets?
Stealer malware targets and gathers data from crypto wallets using specific methods. It infiltrates the wallets and extracts various types of data, including wallet addresses, private keys, transaction histories, and balances. This compromises the security of crypto wallets and poses a risk to users‘ funds.
Apart from spam emails and phishing websites, are there any other cautionary measures that users should take to protect themselves from the malware?
In addition to being cautious with spam emails and phishing websites, users should ensure that their antivirus software is regularly updated and effective in detecting the infostealer malware. Falling victim to the malware can lead to the theft of sensitive information and potential financial losses.
