Malware Campaign Targeting Oil & Gas Sector

The MaaS being used was updated to provide customizations that allow threat actors to exploit additional vulnerabilities.

Online Safety And Security

Leading email defense and security solution provider Cofense Intelligence recently published an alert detailing the Malware-as-a-Service data theft threat Rhadamanthys Stealer. According to the company and their report, the campaign is utilizing phishing emails targeted specifically at the oil and gas industry. Their findings follow, with additional information available here.

Based on a report by Cyberint, this malware family recently received a major update on the black market. Tactics include a high volume of phishing emails that employ tactics, techniques, and procedures known to assist in bypassing secure email gateways to deliver the malware.

The campaign starts with a phishing email using a vehicle incident report to lure victims into interacting with an embedded link that abuses an open redirect on a legitimate domain, primarily Google Maps or Google Images. Users are then redirected several times before finally reaching an interactive PDF file hosted on a recently registered domain docptypefinder[.]info.

The PDF is a clickable image which reaches out to a GitHub repository and downloads a ZIP archive that contains a Rhadamanthys Stealer executable. Once a victim attempts to interact with the executable, the malware will unpack and start a connection with a command and control (C2) location that collects any stolen credentials, cryptocurrency wallets, or other sensitive information.

Rhadamanthys Stealer is an uncommon, but very advanced MaaS option that first appeared in 2022 and is written in the C++ programming language. The primary use is for threat actors to steal device information, document files, cryptocurrency wallets, and credentials stored in various applications and browsers. Based on the report by Cyberint the malware recently received a major update to 5.0, giving threat actors who purchase the service a more customizable experience, and allowing additional measures to counter security and exploit vulnerabilities. 

We recently sat down with the author of the alert, Dylan Duncan, Cyber Threat Intelligence Analyst at Cofense, to get more details on the phishing/malware attack. His responses are below.

Jeff Reinke, editorial director: Is the phishing and malware tied to extortion/ransomware campaigns or are they simply looking to steal or corrupt data? Is there any evidence that the hack is tied to a DDoS campaign? 

Dylan Duncan, Cofense: Rhadamanthys Stealer has been associated with ransomware delivery in the past. At this moment, it is too early to know if the goal of this campaign is to employ additional attack vectors since these are often delivered days or even weeks after a successful infection goes unnoticed. 

JR: Do we know why oil and gas was specifically targeted at this time? 

DD: At this point it is difficult to identify why the oil and gas was specifically targeted. This might become more apparent as the campaign evolves over time. 

JR: Do the hackers have nation-state affiliations? 

DD: We are not assigning attribution at this time. Rhadamanthys Stealer is a Malware-as-a-Service, meaning any threat actor or group can access the malicious software if they are willing to pay for it. 

JR: Are there any early takeaways that the industry can use in better defending its systems against such an attack? 

DD: The threat actors are utilizing several tactics, techniques, and procedures (TTPs) known to aid in bypassing email security infrastructure, which means these emails are currently reaching intended targets. The difficulty in detecting this campaign is that it starts with a link embedded in the email hosted on a legitimate and trusted domain, primarily Google Images or Google Maps. That link then goes through multiple redirects before finally reaching a clickable PDF file that targets must interact with for the malicious files to be downloaded. 

The key here is that the downloaded file is a ZIP archive that contains an obviously malicious executable. This file should fail any checks for malicious content, meaning an organization with several layers of email security ideally should be able to either track through the redirects or flag any downloads of the file from employees. At the very least, this infection chain, with the addition of a downloaded executable should come off as suspicious. 

JR: What advice would you offer in implementing response plans for this or similar types of attacks? 

DD: For a response plan, Rhadamanthys Stealer should be treated like most other advanced malware attacks. If a successful infection were to happen, understanding the malware’s capabilities will help in identifying areas that may have been compromised, the data that is at risk of being stolen, and any additional impacts it might have on the system and network. 

More in Cybersecurity