Phishing Attack Targets Firms with Rhadamanthys Stealer

A threat actor known as TA547 has launched a phishing campaign aimed at numerous German organizations, using an information stealer named Rhadamanthys. This marks the first time TA547 has been observed using Rhadamanthys, a tool utilized by multiple cybercriminal groups. The campaign also involved the suspected use of a PowerShell script generated by a large language model (LLM), according to researchers.

TA547 is a financially motivated threat actor that has been active since at least November 2017. Initially known for delivering various Android and Windows malware such as ZLoader, Gootkit, DanaBot, Ursnif, and Adhubllka ransomware through email phishing, the group has since evolved into an initial access broker (IAB) for ransomware attacks. Recent tactics include geofencing payloads to specific regions.

In this latest campaign, email messages impersonated the German company Metro AG, containing a password-protected ZIP file with an embedded ZIP archive. Opening this archive initiated the execution of a remote PowerShell script, which launched Rhadamanthys directly into memory.

Notably, the PowerShell script used in this attack contained “grammatically correct and hyper specific comments” for each instruction, suggesting it may have been generated or rewritten using an LLM. Alternatively, TA547 could have copied the script from a source that utilized generative AI technology.

This campaign showcases a shift in techniques for TA547, including the use of compressed LNKs and the previously unobserved Rhadamanthys stealer. It also sheds light on how threat actors are incorporating likely LLM-generated content into malware campaigns.

As phishing campaigns continue to evolve, attackers are employing uncommon tactics to facilitate credential-harvesting attacks. For example, some campaigns prompt recipients to click on a link to access a voice message, leading to the retrieval of obfuscated HTML content containing JavaScript code.

Additionally, social engineering campaigns have utilized malicious ads on search engines to deceive users into downloading fake installers for popular software, ultimately deploying malware like Nitrogen and IDAT Loader. The infection chain associated with IDAT Loader involves using an MSIX installer to launch a PowerShell script that contacts a Telegram bot to fetch a second PowerShell script, bypassing Windows Antimalware Scan Interface (AMSI) protections to load the SectopRAT trojan.

To prevent falling victim to such phishing attacks, organizations should conduct regular security awareness training for employees to recognize phishing emails and report them promptly. Implementing email authentication protocols like SPF, DKIM, and DMARC can help verify the authenticity of incoming emails and reduce the likelihood of phishing emails reaching employees’ inboxes. Additionally, deploying endpoint protection solutions that can detect and block malicious activities.