Full Report
AhnLab SEcurity intelligence Center (ASEC) has confirmed that Infostealer malware disguised as a document containing legal responsibilities and copyright infringement facts is continuously being distributed in Korea. It is mainly distributed through links in email attachments, and the email instructs the recipients to download the evidence related to the copyright infringement. Link in Email […]
Analysis Summary
# Tool/Technique: Rhadamanthys Infostealer (Disguised as Legal/Copyright Infringement Documents)
## Overview
Infostealer malware, specifically identified as Rhadamanthys, is being distributed in Korea and internationally (Thailand, Hungary, Portugal, Greece, Japan) disguised as documents related to legal response, copyright infringement, or intellectual property rights. The distribution uses socially engineered email lures to trick recipients into downloading compressed files containing the malware payload.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows (Implied by use of common Windows system processes like `openwith.exe`, `rundll32.exe`, and PowerShell)
- Capabilities: Information theft (credentials for email, FTP, online banking), DLL injection, process termination.
- First Seen: Not specified, but currently under active distribution.
## MITRE ATT&CK Mapping
This campaign utilizes multiple techniques related to delivery, execution, and credential access:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Delivering compressed files via email)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - dll side-loading (Type 1)
- **TA0003 - Persistence** (Indirectly, via injected code)
- **TA0005 - Defense Evasion**
- T1055 - Process Injection
- T1055.001 - Dynamic-link Library Injection (DLL Injection into system processes)
- T1498 - Network Service Discovery (Implied by targeting forensic/security tools for termination)
- **TA0006 - Credential Access**
- T1555 - Credentials from Managed Application Stored (Stealing credentials for email, FTP, online banking)
## Functionality
### Core Capabilities
The malware utilizes two primary infection vectors, both delivered via compressed archives:
**Type 1: DLL Side-Loading**
1. The compressed file contains a legitimate executable (e.g., PDF Reader program) and a malicious DLL.
2. When the user executes the EXE, the system loads the malicious DLL due to dependency searching order.
3. Rhadamanthys Infostealer is activated.
4. The malware performs DLL injection into legitimate Windows system processes to mask activity.
**Type 2: Double Extension & Process Manipulation**
1. The compressed file contains a malicious EXE disguised with a double extension (e.g., `file.pdf.exe`) and a text file lure.
2. Execution of the malicious EXE activates the Infostealer.
3. It uses a PowerShell command to terminate security, debugging, and system administration tools (e.g., `taskmgr`, `wireshark`, `ida64`, `pestudio`) to hinder analysis or post-compromise activity.
### Advanced Features
- **Information Exfiltration:** Steals information related to email clients, FTP applications, and online banking services.
- **Screen Capture:** Captures the victim's screen.
- **Process Injection:** Targets system processes (`openwith.exe`, `dialer.exe`, `rundll32.exe`, etc.) for code execution and evasion.
## Indicators of Compromise
- File Hashes:
- 64a145f3716c4fae76389ced81013e28
- ca58a723609057048c97ebd8f9b4d36f
- de432b951132ecad82a392d60f4682e1
- File Names (Examples):
- Definite evidence helps to confirm the criminal behavior.zip
- Evidence verified through the investigation.zip
- Documents and evidence of intellectual property rights infringement.zip
- Evidence and Detailed Information on Copyright Infringement.zip
- 違反を示す証拠/違反を示す証拠.pdf.exe (Japanese example)
- A nyomozási folyamat bizonyítéka.exe (Hungarian example)
- Registry Keys: Not explicitly mentioned.
- Network Indicators:
- hxxps://tr[.]ee/3FKnsw (URL shortener used for initial C2 delivery)
- hxxps://laurayoung2169944-dot-yamm-track[.]appspot[.]com/2gwdQgyj0E2vzqvbGg2Q8Vfawz52qe38tVH-Y92ZoVgBqJibClgEzOCbYyqGbTJh0dKhw8GQbFc_Fesz7f9zrLq-2V-eP1KMh9_AEWIYxXvJBaYeQMZELdDvNm3D-jXjmCZhpz_vekp6k6wRmVhQAy8E8tvBKAmido8oujb3kXgIEfYHLKv2LcSBPU3qzwd3tG0yoQroSnpBWvxoJ0Cigir-WRpFZtmNqF9GzWiYvcbQYCA_FW112o2ZfGIvFBZS2YBmvm5iJcYtbCXPbhF_PffE2uiWA (Malicious download link)
- http[:]//147[.]124[.]219[.]157[:]3243/ (Likely C2)
- http[:]//192[.]30[.]241[.]106[:]56001/ (Likely C2)
- Behavioral Indicators:
- Execution of a malicious DLL triggered by a legitimate application (Side-Loading).
- Use of PowerShell to run process termination commands targeting security analysis tools.
- DLL injection into processes like `openwith.exe` or `rundll32.exe`.
## Associated Threat Actors
The article does not explicitly name the threat actor group responsible, but notes the campaign is active globally (Korea, Thailand, Hungary, Portugal, Greece, Japan).
## Detection Methods
- Signature-based detection: Based on file hashes provided.
- Behavioral detection: Monitoring for unusual DLL loading patterns associated with legitimate EXEs, or PowerShell commands enumerating or terminating security/forensic tools (`ksdumperclient`, `vmtoolsd`, `wireshark`, etc.).
- YARA rules: Not provided in the text.
## Mitigation Strategies
- Avoid executing suspicious files received via email or messenger, even if they appear to be official documents.
- Ensure operating system settings are configured to display full file extensions (disable hiding known file extensions) to prevent successful "double extension" social engineering tactics (e.g., `.pdf.exe` appears as `.pdf`).
- Implement application control to restrict execution of unknown executables.
- Monitor outbound network connections from host processes like `openwith.exe` or `rundll32.exe` to external IPs/ports.
## Related Tools/Techniques
- Similar Ransomware/Infostealer techniques that rely on DLL Side-Loading (a common T1204.002 implementation).
- Other Infostealers that target browser, banking, and FTP credentials.