Campaign Overview:
Have you ever reposted a meme or a video on social media without specifically obtaining the original creator's permissions? Has your company ever potentially failed to request needed permissions?
In recent months, a large-scale phishing operation has emerged, preying on fears of copyright infringement.
Dubbed “CopyRh(ight)adamantys” by Check Point Research, this campaign weaponizes the latest version of the Rhadamanthys stealer, a sophisticated malware, and installs it as a payload on devices.
How the Campaign Works:
Cyber criminals have created dedicated Gmail accounts through which to distribute emails that impersonate legitimate companies – who ostensibly say that their intellectual property rights have been infringed upon. Roughly 70% of the impersonated companies are in the entertainment/media and technology space.
The phishing messages themselves encourage individuals to take immediate action in order to remedy the situation. Recipients are instructed to download an archive file, which triggers the malware infection through DLL side-loading.
The vulnerable binary then installs the latest version of the Rhadamanthys stealer (version 0.7), which includes new capabilities, such as an AI-powered optical character recognition (OCR) module.
About the Rhadamanthys Infostealer:
Rhadamanthys is a widely known infostealer. As Check Point’s Sergey Shykevich explains “It’s without any doubt the most sophisticated of those infostealers which are sold as commodity malware on the dark web.”
“…It’s much more modular, more obfuscated and more complicated in [terms of] how it’s built: The way it loads itself, hides itself, all this makes detection much more complicated.”
For Cyber Security Professionals:
Prevent Rhadamanthys from appearing on your devices by adhering to these email security recommendations:
1. Powerful email filtering. Given the sophistication of this campaign, ensure that your organization has a strong email filtering system in-place. Email filters can potentially block this type of spam before it lands in the inbox.
If looking for an email filtering system upgrade, seek out a solution that can identify and block emails from newly created or suspicious domains.
2. Employee training. Tell employees about the tactics used in this campaign. Explain that caution should be exercised around unsolicited emails that claim copyright infringement. Such claims should be verified through official channels and not inherently assumed to be legitimate.
3. Monitor large file downloads. The cyber criminals responsible for this campaign have created larger versions of the malicious files than usual, as to evade detection. Implement monitoring for unusually large file downloads.Although there may be legitimate reasons for large file shares, and monitoring may not be easy, there are rules that you may be able to set-up around file downloads.
4. Implement strong access controls. Leverage the principle of least privilege to limit potential damage in the event that a system sees compromise. Such measures can contain the spread of Rhadamanthys within your network.
5. Regular cyber security audits. Conduct frequent audits of systems. In so doing, your organization will likely spot unusual activities ahead of potential disasters.
6. Keep systems updated. It’s basic, but a surprising number of organizations have fallen behind when it comes to routine maintenance. Ensure that all systems and software are regularly patched. Cyber criminal groups, including the one responsible for Rhadamanthys, commonly attempt to exploit unpatched systems.
If you’d like to learn more about preventing Rhadamanthys and other email security threats, please reach out to one of our experts.