Campaign Overview:
Have you ever reposted a meme or a video on social media without specifically obtaining the original creator's permissions? Has your company ever potentially failed to request needed permissions?
In recent months, a large-scale phishing operation has emerged, preying on fears of copyright infringement.
Dubbed “CopyRh(ight)adamantys” by Check Point Research, this campaign weaponizes the latest version of the Rhadamanthys stealer, a sophisticated malware, and installs it as a payload on devices.
How the Campaign Works:
Cyber criminals have created dedicated Gmail accounts through which to distribute emails that impersonate legitimate companies – who ostensibly say that their intellectual property rights have been infringed upon. Roughly 70% of the impersonated companies are in the entertainment/media and technology space.
The phishing messages themselves encourage individuals to take immediate action in order to remedy the situation. Recipients are instructed to download an archive file, which triggers the malware infection through DLL side-loading.
The vulnerable binary then installs the latest version of the Rhadamanthys stealer (version 0.7), which includes new capabilities, such as an AI-powered optical character recognition (OCR) module.
About the Rhadamanthys Infostealer:
Rhadamanthys is a widely known infostealer. As Check Point’s Sergey Shykevich explains “It’s without any doubt the most sophisticated of those infostealers which are sold as commodity malware on the dark web.”
“…It’s much more modular, more obfuscated and more complicated in [terms of] how it’s built: The way it loads itself, hides itself, all this makes detection much more complicated.”
For Cyber Security Professionals:
Prevent Rhadamanthys from appearing on your devices by adhering to these email security recommendations:
1. Powerful email filtering. Given the sophistication of this campaign, ensure that your organization has a strong email filtering system in-place. Email filters can potentially block this type of spam before it lands in the inbox.
If looking for an email filtering system upgrade, seek out a solution that can identify and block emails from newly created or suspicious domains.
2. Employee training. Tell employees about the tactics used in this campaign. Explain that caution should be exercised around unsolicited emails that claim copyright infringement. Such claims should be verified through official channels and not inherently assumed to be legitimate.
3. Monitor large file downloads. The cyber criminals responsible for this campaign have created larger versions of the malicious files than usual, as to evade detection. Implement monitoring for unusually large file downloads.