Fake Copyright Claims Used to Spread AI-Enhanced Rhadamanthys Malware

Scammers are using fake copyright infringement claims to hack businesses

The crooks are impersonating entertainment, media, and tech firms Scammers have been spotted sending out fake copyright infringement violation claims as part of a new phishing campaign aiming to spread the latest version of the Rhadamanthys Stealer malware. Cybersecurity researchers Check Point Software, who dubbed the campaign CopyRh(ight)adamanthys, noted the crooks were casting a wide net, targeting as many companies as possible. At the same time, they were also impersonating a large number of different organizations, but due to their high online presence, and frequent copyright-related issues, the majority (70%) were from the entertainment, media, and tech industries. Despite Rhadamanthys being a powerful infostealer, this doesn't seem to be a campaign orchestrated by a nation-state. Rather, the group behind the attack is most likely financially motivated. In its attack, the group uses dedicated Gmail accounts, sometimes targeting the same victim from multiple addresses. They also seem to be using AI capabilities efficiently, not just to create convincing phishing emails, but also to automate the attacks, as well. The key of the campaign, Check Point Software argued, is to implement an updated version of Rhadamanthys. The author claims this version comes with advanced AI-driven features, a claim that was apparently refuted. The tool was proven to use older machine learning techniques, seen in optical character recognition (ORC) software. "The attackers may be leveraging AI-enhanced automation tools to create phishing content and manage the high volume of Gmail accounts and diversified phishing needed for the campaign," the researchers concluded. The Rhadamanthys infostealer is a type of malware designed to steal sensitive information from infected systems, including login credentials, browser data, and cryptocurrency wallet details. It operates by capturing data from popular web browsers, email clients, and other applications where users may store credentials or personal information. The tool can also log keys and record keystrokes, as alternative means of stealing passwords and other sensitive data. The malware is often distributed through phishing campaigns and malicious attachments.

Cybercrims target global orgs using fake copyright notices

Organizations should be on the lookout for bogus copyright infringement emails as they might be the latest ploy by cybercriminals to steal their data. The most recent version of the Rhadamanthys infostealer malware is being spread far and wide, targeting organizations across multiple continents, as part of an ongoing phishing campaign since July. Victims are sent emails pretending to be from media and technology companies falsely alleging a copyright violation regarding content on their business Facebook pages, according to researchers at Check Point. These emails, however, lead to the infostealer's deployment, playing on the worry victims feel when accused of wrongdoing. The emails are sent from different Gmail accounts every time and appear to be coming from the "legal representatives" of the supposed copyright complainants. Attached are what the crooks claim are content-removal instructions neatly packaged up in a password-protected ZIP archive. You can guess what happens when that archive is extracted. It includes a decoy PDF, an executable, and a DLL that contains the Rhadamanthys stealer. If the victim runs the executable, it side-loads the DLL, which then unpacks and deploys the malware. It sounds like a lot of unnecessary steps to handle a copyright request, but don't underestimate the panic factor a threatening legal email can have. Multiple security shops have noted that the latest version of Rhadamanthys (Rhadamanthys 0.7) is packed with AI capabilities for optical character recognition (OCR). However, Check Point says there's nothing massively advanced going on here. Rhadamanthys appears to be using an older type of AI for OCR rather than the more advanced models seen in recent years. This tech is for creating each email account used to send the phishing emails as well as the email's content. It's also prone to errors. Researchers saw hundreds of intercepted phishing emails where language errors ruined the attack, such as opting for Hebrew to target Korean organizations, for example, instead of the desired domestic language of the victim. Targeted countries include the US, Israel, South Korea, Peru, Thailand, Spain, Switzerland, and Poland. "This discovery of the CopyRh(ight)adamantys campaign reveals not only the evolving sophistication of cyber threats but also highlights how cybercriminals are leveraging AI for marketing purposes and use automation to enhance their reach and operational scale," said Sergey Shykevich, threat intelligence group manager at Check Point Software. "For security leaders, it's a wake-up call to prioritize automation and AI in defense strategies to counteract these globally scaled, financially motivated phishing campaigns." Researchers at the likes of Cisco Talos and Recorded Future's Insikt Group have both previously published their analyses of the latest version of the malware. The latter added to the conversation by saying the new version includes an option for attackers to deploy MSI files to execute nasty code - a tactic used to evade defense systems. Broadcom spotted the same thing. Aside from the MSI observation, the researchers' findings were broadly similar. Both Talos and Insikt noted that the OCR tech Rhadamanthys uses can, and does, scan victims' machines for files that contain seed phrases for cryptocurrency wallets. This is in addition to the usual data stolen by infostealers such as credentials, passwords, cookies, and more. It signals that the people behind the attack campaign are financially motivated, either through siphoning funds directly from wallets, or selling the stolen credentials to the highest bidder, unless they're using them for follow-on attacks. Check Point muddied previous suspicions that Rhadamanthys was a tool used by teams sponsored by states such as Russia and Iran, saying the indiscriminate targeting and financially motivated tactics suggest lower-level criminals are the true operators. Full technical details about Rhadamanthys can be found on the respective researchers' technical blogs, which also include indicators of compromise for defenders to bolster their detection systems. ®