Don't open that 'copyright infringement' email attachment – it's an infostealer

Organizations should be on the lookout for bogus copyright infringement emails as they might be the latest ploy by cybercriminals to steal their data.

The most recent version of the Rhadamanthys infostealer malware is being spread far and wide, targeting organizations across multiple continents, as part of an ongoing phishing campaign since July.

Victims are sent emails pretending to be from media and technology companies falsely alleging a copyright violation regarding content on their business Facebook pages, according to researchers at Check Point. These emails, however, lead to the infostealer's deployment, playing on the worry victims feel when accused of wrongdoing.

The emails are sent from different Gmail accounts every time and appear to be coming from the "legal representatives" of the supposed copyright complainants. Attached are what the crooks claim are content-removal instructions neatly packaged up in a password-protected ZIP archive.

You can guess what happens when that archive is extracted. It includes a decoy PDF, an executable, and a DLL that contains the Rhadamanthys stealer. If the victim runs the executable, it side-loads the DLL, which then unpacks and deploys the malware.

It sounds like a lot of unnecessary steps to handle a copyright request, but don't underestimate the panic factor a threatening legal email can have.

Multiple security shops have noted that the latest version of Rhadamanthys (Rhadamanthys 0.7) is packed with AI capabilities for optical character recognition (OCR).

However, Check Point says there's nothing massively advanced going on here. Rhadamanthys appears to be using an older type of AI for OCR rather than the more advanced models seen in recent years.

This tech is for creating each email account used to send the phishing emails as well as the email's content. It's also prone to errors.

Researchers saw hundreds of intercepted phishing emails where language errors ruined the attack, such as opting for Hebrew to target Korean organizations, for example, instead of the desired domestic language of the victim.

Targeted countries include the US, Israel, South Korea, Peru, Thailand, Spain, Switzerland, and Poland.

"This discovery of the CopyRh(ight)adamantys campaign reveals not only the evolving sophistication of cyber threats but also highlights how cybercriminals are leveraging AI for marketing purposes and use automation to enhance their reach and operational scale," said Sergey Shykevich, threat intelligence group manager at Check Point Software.

"For security leaders, it's a wake-up call to prioritize automation and AI in defense strategies to counteract these globally scaled, financially motivated phishing campaigns."

• Operation Synergia II sees Interpol swoop on global cyber crims
• Russian spies use remote desktop protocol files in unusual mass phishing drive
• OpenAI says Chinese gang tried to phish its staff
• DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks

Researchers at the likes of Cisco Talos and Recorded Future's Insikt Group have both previously published their analyses of the latest version of the malware. The latter added to the conversation by saying the new version includes an option for attackers to deploy MSI files to execute nasty code – a tactic used to evade defense systems. Broadcom spotted the same thing.

Aside from the MSI observation, the researchers' findings were broadly similar. Both Talos and Insikt noted that the OCR tech Rhadamanthys uses can, and does, scan victims' machines for files that contain seed phrases for cryptocurrency wallets. 

This is in addition to the usual data stolen by infostealers such as credentials, passwords, cookies, and more.

It signals that the people behind the attack campaign are financially motivated, either through siphoning funds directly from wallets, or selling the stolen credentials to the highest bidder, unless they're using them for follow-on attacks.

Check Point muddied previous suspicions that Rhadamanthys was a tool used by teams sponsored by states such as Russia and Iran, saying the indiscriminate targeting and financially motivated tactics suggest lower-level criminals are the true operators.

Full technical details about Rhadamanthys can be found on the respective researchers' technical blogs, which also include indicators of compromise for defenders to bolster their detection systems. ®