A threat entity identified as TA547 has directed its focus towards numerous German enterprises utilizing an information exfiltration tool named Rhadamanthys within a phishing initiative themed around invoices.
“This marks the premiere instance where TA547 has employed Rhadamanthys, an information exfiltration tool utilized by multiple cybercriminal factions,” stated Proofpoint. “Furthermore, the entity seemed to deploy a PowerShell script, suspected to have been crafted by a substantial linguistic model (SLM).”
TA547 stands as a prolific, financially driven threat entity, with a documented presence since at least November 2017, employing email phishing schemes to disseminate an array of Android and Windows malware including ZLoader, Gootkit, DanaBot, Ursnif, and even the Adhubllka ransomware.
In recent times, the faction has transitioned into an initial access intermediary for ransomware assaults. Moreover, it has been observed employing geofencing stratagems to confine payloads to specific locales.
Cybersecurity The email correspondences identified in the latest initiative masquerade as communications from the German conglomerate Metro AG and encompass a password-protected ZIP file housing a ZIP archive that, upon extraction, triggers the deployment of a remote PowerShell script to instigate the execution of the Rhadamanthys data exfiltration tool directly into memory.
Of note, the PowerShell script utilized to activate Rhadamanthys incorporates “linguistically accurate and exceedingly specific annotations” for each command within the script, hinting at the possibility of its generation (or alteration) employing an SLM.
An alternative conjecture posits that TA547 replicated the script from another origin that utilized generative AI technology in its creation.
“This campaign embodies a paradigm shift for TA547, incorporating compressed LNKs and previously unencountered Rhadamanthys data exfiltration tool,” remarked Proofpoint. “It also provides insights into the utilization of ostensibly SLM-generated content by threat entities in malware initiatives.”
This development arises amidst a backdrop where phishing endeavors have begun leveraging unconventional methodologies to facilitate credential-harvesting operations. In these instances, recipients are alerted of a voicemail message and are instructed to click on a hyperlink for access.
The payload retrieved from the hyperlink comprises heavily obfuscated HTML content embedding JavaScript code within an SVG image, activated upon rendering the page on the target system.
Phishing Assault Embedded within the SVG data lies “encrypted data housing a secondary stage page prompting the recipient to furnish their credentials for accessing the voicemail,” as indicated by Binary Defense, with the page encrypted utilizing CryptoJS.
Other email-driven assaults have paved the way for Agent Tesla, emerging as a preferred choice for threat entities due to its cost-effectiveness and multifaceted capabilities for data exfiltration and theft, according to Cofense.
Social engineering endeavors have also manifested in the form of malevolent advertisements served on search engines such as Google, enticing unsuspecting users to download counterfeit installers for prominent software applications like PuTTY, FileZilla, and Room Planner, ultimately facilitating the deployment of Nitrogen and IDAT Loader.
Cybersecurity The infection trajectory linked with IDAT Loader is notable for employing an MSIX installer to launch a PowerShell script, subsequently establishing contact with a Telegram bot to retrieve a secondary PowerShell script hosted on the bot.
This PowerShell script serves as a conduit for delivering another PowerShell script utilized to circumvent Windows Antimalware Scan Interface (AMSI) safeguards and initiate the execution of the loader, which proceeds to introduce the SectopRAT trojan.
“Endpoints can be shielded from malicious advertisements via group policies restricting traffic emanating from both primary and lesser-known advertising networks,” remarked Jérôme Segura, principal threat researcher at Malwarebytes.
