SteelFox and Rhadamanthys Malware Use Copyright Scams, Driver Exploits to Target Victims

An ongoing phishing campaign is employing copyright infringement-related themes to trick victims into downloading a newer version of the Rhadamanthys information stealer since July 2024.

Cybersecurity firm Check Point is tracking the large-scale campaign under the name CopyRh(ight)adamantys. Targeted regions include the United States, Europe, East Asia, and South America.

“The campaign impersonates dozens of companies, while each email is sent to a specific targeted entity from a different Gmail account, adapting the impersonated company and the language per targeted entity,” the company said in a technical analysis. “Almost 70% of the impersonated companies are from the Entertainment /Media and Technology/Software sectors.”

The attacks are notable for the deployment of version 0.7 of the Rhadamanthys stealer, which, as detailed by Recorded Future’s Insikt Group early last month, incorporates artificial intelligence (AI) for optical character recognition (OCR).

The Israeli company said the activity overlaps with a campaign that Cisco Talos disclosed last week as targeting Facebook business and advertising account users in Taiwan to deliver Lumma or Rhadamanthys stealer malware.

The attack chains are characterized by the use of spear-phishing tactics that entail sending email messages claiming purported copyright violations by masquerading as well-known companies.

These emails are sent from Gmail accounts and claim to be from legal representatives of the impersonated companies. The contents of the message accuse the recipients of misusing their brand on social media platforms and request them to remove the concerned images and videos.

“The removal instructions are said to be in a password-protected file. However, the attached file is a download link to appspot.com, linked to the Gmail account, which redirects the user to Dropbox or Discord to download a password-protected archive (with the password provided in the email),” Check Point said.

The RAR archive contains three components, a legitimate executable vulnerable to DLL side-loading, the malicious DLL containing the stealer payload, and a decoy document. Once the binary is run, it sideloads the DLL file, which then paves the way for the deployment of Rhadamanthys.

Check Point, which attributed the campaign to a likely cybercrime group, said that it’s possible the threat actors have utilized AI tools given the scale of the campaign and the variety of the lures and sender emails.

“The campaign’s widespread and indiscriminate targeting of organizations across multiple regions suggests it was orchestrated by a financially motivated cybercrime group rather than a nation-state actor,” it said. “Its global reach, automated phishing tactics, and diverse lures demonstrate how attackers continuously evolve to improve their success rates.”

New SteelFox Malware Exploits Vulnerable Driver

The findings come as Kaspersky shed light on a new “full-featured crimeware bundle” dubbed SteelFox that’s propagated via forums posts, torrent trackers, and blogs, passing off as legitimate utilities like Foxit PDF Editor, JetBrains, and AutoCAD.

The campaign, dating back to February 2023, has claimed victims across the world, particularly those located in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. It has not been attributed to any known threat actor or group.

“Delivered via sophisticated execution chains including shellcoding, this threat abuses Windows services and drivers,” security researcher Kirill Korchemny said. “It also uses stealer malware to extract the victim’s credit card data as well as details about the infected device.”

The starting point is a dropper app that impersonates cracked versions of popular software, which, when executed, asks for administrator access and drops a next-stage loader that, in turn, establishes persistence and launches the SteelFox DLL.

The admin access is subsequently abused to create a service that runs an older version of WinRing0.sys, a hardware access library for Windows that’s vulnerable to CVE-2020-14979 and CVE-2021-41285, thereby allowing the threat actor to obtain NT\SYSTEM privileges.

“This driver is also a component of the XMRig miner, so it is utilized for mining purposes,” Korchemny noted. “After initializing the driver, the sample launches the miner. This represents a modified executable of XMRig with junk code fillers. It connects to a mining pool with hardcoded credentials.”

The miner, for its part, is downloaded from a GitHub repository, with the malware also initiating contact with a remote server over TLS version 1.3 to exfiltrate sensitive data from web browsers, such as cookies, credit card data, browsing history, and visited places, system metadata, installed software, and timezone, among others.

“Highly sophisticated usage of modern C++ combined with external libraries grant this malware formidable power,” Kaspersky said. “Usage of TLSv1.3 and SSL pinning ensures secure communication and harvesting of sensitive data.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.