Full Report
The threat actor behind Rhadamanthys has also advertised two other tools called Elysium Proxy Bot and Crypt Service on their website, even as the flagship information stealer has been updated to support the ability to collect device and web browser fingerprints, among others. "Rhadamanthys was initially promoted through posts on cybercrime forums, but soon it became clear that the author had a
Analysis Summary
# Tool/Technique: Rhadamanthys Stealer (Version 0.9.2)
## Overview
Rhadamanthys Stealer is a prominent piece of malware operating under a Malware-as-a-Service (MaaS) model, marketed by threat actors rebranding as "RHAD security" and "Mythical Origin Labs." The latest version (0.9.2) shows an evolution in capabilities, focusing on enhanced data collection, evasion, and professionalized service offerings (including tiered subscription packages).
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (Implied, as it targets common Windows artifacts and environments)
- Capabilities: Credential/data exfiltration, device fingerprinting, environment checks, anti-sandbox/anti-VM evasion, and leveraging PNG steganography for payload delivery.
- First Seen: Not explicitly stated, but continuously evolving (analysis mentions older versions from previous years).
## MITRE ATT&CK Mapping (Inferred from capabilities)
- TA0001 - Initial Access
- TA0003 - Persistence
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Obfuscation of module names)
- T1490 - Inhibit System Recovery
- TA0009 - Collection
- T1552.001 - Credentials from Configuration Files
- T1555 - Credentials from Password Stores
- TA0010 - Exfiltration
- TA0011 - Command and Control
## Functionality
### Core Capabilities
- Information Stealing: Collects data from web browsers and systems.
- Anti-Analysis/Evasion: Implements environment checks to detect sandboxes and virtual machines, including checking running processes against blacklists, verifying the current wallpaper against a known triage sandbox wallpaper, and checking usernames for sandbox identifiers.
- Anti-Detection Mimicry: Includes a feature to display a benign alert box purportedly allowing the user to finish execution without harm. This is implemented differently than Lumma Stealer's version, suggesting surface-level mimicry but distinct implementation leveraging `MessageBoxW` rather than raw syscalls like `NtRaiseHardError`.
- Module Management: Uses a slightly modified custom XS format for shipping executable modules.
### Advanced Features
- Device Fingerprinting: Ability to collect detailed information about the compromised device, likely for tracking or better targeting.
- PNG Steganography Payloads: Utilizing image files (PNG) to hide and deliver secondary payloads.
- AI-Powered OCR: Previous versions added Optical Character Recognition (OCR) to capture cryptocurrency wallet seed phrases.
- Tiered MaaS Model: Sold in monthly packages ($299 to $499+), indicating a professionalized threat actor infrastructure ("RHAD security").
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: [Not provided in the article, but may use obfuscated module names]
- Registry Keys: [Not provided in the article]
- Network Indicators: [Not provided in the article]
- Behavioral Indicators: Displays a specific alert box (via `MessageBoxW`) when attempting to avoid artifact leakage; behavior related to checking environment variables, running processes, and system configuration during the initial execution checks.
## Associated Threat Actors
- kingcrete2022 (Initial advertiser)
- RHAD security / Mythical Origin Labs (Current branding)
## Detection Methods
- Signature-based detection: Looking for known headers or structures associated with the custom XS format or obfuscated configuration.
- Behavioral detection: Monitoring for environment checks characteristic of this malware (wallpaper checks, username checks, process blacklisting).
- YARA rules: YARA rules targeting the obfuscation patterns or specific strings/exports related to the `MessageBoxW` implementation divergence from Lumma Stealer.
## Mitigation Strategies
- Prevention: Strict egress filtering and monitoring for unexpected file transfers, especially involving PNG files containing embedded code/data.
- Hardening recommendations: Implement strong endpoint detection and response (EDR) solutions capable of monitoring API calls (like `MessageBoxW`) and kernel-level process activity to detect anti-sandbox checks. Regular patching of software targeted by information stealers (browsers).
## Related Tools/Techniques
- Lumma Stealer (Used for comparison regarding artifact protection implementation).
- Vidar Stealer
- StealC
- Acreed Stealer
- Information Stealer MaaS Ecosystem