SteelFox and Rhadamanthys Malware Employ Copyright Scams, Driver Exploits
In a concerning development for global cybersecurity, SteelFox and Rhadamanthys malware campaigns have been identified using sophisticated phishing tactics and driver exploitation to target victims worldwide since February 2023.
A Widespread Campaign
Cybersecurity firm Check Point has been monitoring this widespread campaign, named CopyRh(ight)adamantys, which targets regions including the United States, Europe, East Asia, and South America.
"The campaign impersonates dozens of companies, sending each email from a unique Gmail account tailored to the targeted entity's industry and language," Check Point stated in a technical analysis. "Nearly 70% of the impersonated firms belong to the Entertainment/Media and Technology/Software sectors."
Advanced AI Integration
The latest attacks feature version 0.7 of the Rhadamanthys stealer, incorporating artificial intelligence (AI) for enhanced optical character recognition (OCR), as reported by Recorded Future's Insikt Group.
This activity coincides with a campaign disclosed by Cisco Talos targeting Facebook business and advertising account users in Taiwan, which deploys Lumma or Rhadamanthys stealer malware.
Sophisticated Phishing Tactics
The phishing strategy involves sending emails that falsely claim copyright infringements, posing as legal representatives of well-known companies. Recipients are instructed to remove alleged misused content via a password-protected file.
"The removal instructions link to appspot.com, directing users to Dropbox or Discord to download a protected archive with the password provided," Check Point explained.
The RAR archive contains a legitimate executable vulnerable to DLL side-loading, a malicious DLL with the stealer payload, and a decoy document. Executing the binary initiates the Rhadamanthys deployment.
Financial Motivation
Check Point attributes the campaign to a financially motivated cybercrime group, noting the utilization of AI tools to manage the campaign's scale and diversity in lures and sender emails.
"The campaign's extensive and indiscriminate targeting across various regions indicates organization by a financially driven cybercrime group rather than state-sponsored actors," Check Point noted. "Their global reach and automated tactics reflect attackers' continual evolution to enhance success rates."
The SteelFox Threat
Kaspersky has also identified a new crimeware bundle named SteelFox, which spreads through forum posts, torrent trackers, and blogs, disguising as legitimate software like Foxit PDF Editor, JetBrains, and AutoCAD.
Since February 2023, the SteelFox campaign has affected victims globally, particularly in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka, without attribution to any known threat actor.
Technical Sophistication
"Utilizing sophisticated execution chains, including shellcoding, SteelFox abuses Windows services and drivers," security researcher Kirill Korchemny explained. "It employs stealer malware to extract victims' credit card information and device details."
The malware begins with a dropper app that mimics cracked software versions. Upon execution, it requests administrator access, drops a loader that establishes persistence, and launches the SteelFox DLL.
Administrator privileges are exploited to create a service running an outdated WinRing0.sys, a Windows hardware access library vulnerable to CVE-2020-14979 and CVE-2021-41285, granting NT\SYSTEM privileges.
"This driver is also part of the XMRig miner, used for mining purposes," Korchemny noted. "After initializing the driver, the malware launches the miner, a modified XMRig executable with junk code fillers connecting to a mining pool using hardcoded credentials."
The miner is downloaded from a GitHub repository, and the malware communicates with a remote server over TLS 1.3 to exfiltrate sensitive data from web browsers, including cookies, credit card information, browsing history, system metadata, installed software, and timezone settings.
"Kaspersky highlighted that the malware's use of modern C++ and external libraries provides formidable capabilities," Kaspersky stated. "The implementation of TLSv1.3 and SSL pinning ensures secure communication and efficient harvesting of sensitive data."