Beware! New Infostealer Malware Spreading Through Google Ads

Cyble Research & Intelligence Labs (CRIL) discovered a brand-new malware variant called “Rhadamanthys Stealer.” This malware stealer variation is now in use and the threat actors who created it are offering it for sale via the Malware as a Service (MaaS) business model.

The Rhadamanthys stealer spreads by tricking users into visiting phishing websites that look like popular programmes like Zoom, AnyDesk, Notepad++, Bluestacks, etc. It can propagate through spam emails that include an attachment that contains the harmful payload. 

Further, fake Google Ads are used in this campaign that aimed at consumers trying to download popular software.

Rhadamanthys Stealer Delivered Via a Spam Email

Spam emails with the PDF attachment “Statement.pdf” are the origin of the Rhadamanthys stealer malware.

Spam Email with PDF Attachment

When opening the spam email’s attachment, a message identifies it as an “Adobe Acrobat DC Updater” and provides a “Download Update” download link.

PDF document with a download link

When a user clicks the “Download Update” link, it downloads malware executable from the specified URL. Upon execution, it runs the stealer and allows it to steal sensitive information from the victim’s machine.

Process tree of spam email downloads Stealer

Malware Distribution Using Google Ads

In order to deceive visitors into installing the stealer malware, which engages in criminal actions, the TAs behind this campaign also constructed a highly convincing phishing webpage impersonating trustworthy websites. Google advertisements are used to promote the link to these phishing websites.

Phishing Domains Created To Spread This Malware:

  • bluestacks-install[.]com
  • zoomus-install[.]com
  • install-zoom[.]com
  • install-anydesk[.]com
  • install-anydeslk[.]com
  • zoom-meetings-install[.]com
  • zoom-meetings-download[.]com
  • anydleslk-download[.]com
  • zoomvideo-install[.]com
  • zoom-video-install[.]com
  • istaller-zoom[.]com
  • noteepad.hasankahrimanoglu[.]com[.]tr

The phishing websites also download an installer file that seems to be a genuine installer for the corresponding software. The stealer malware is secretly installed along with the appropriate application without the user’s awareness.

Process tree of malicious AnyDesk installing Stealer

“We observed that a steganography image was downloaded from the remote server. We suspect the shellcode decrypts the steganography image to get the actual Rhadamanthys payload”, CRIL.

By running a series of Windows Management Instrumentation (WMI) queries, the Rhadamanthys stealer now begins gathering system data. The data gathered comprises the name of the computer, the user name, the OS version, the RAM and CPU information, the HWID, the time zone, the user and keyboard language, etc.

The malware searches for browser-related files including browsing histories, bookmarks, cookies, auto-fills, login credentials, etc. in the folders of the installed browsers on the victim’s computer.

 “It targets different browsers such as Brave, Edge, Chrome, Firefox, Opera Software, Sleipnir5, Pale Moon, CocCoc, etc”, CRIL

Researchers say the stealer malware is also made to target different crypto wallets and gather data from them. 

The stealer also targets various applications such as FTP clients (CoreFTP, WinSCP), email clients (Foxmail, Thunderbird, Outlook, TrulyMail, GmailNotifierPro), File managers (Total commanders), password managers (RoboForm, KeePass), VPN services (NordVPN, ProtonVPN, Windscribe VPN, OpenVPN), messaging applications (Tox, Discord, Telegram) and others.

“It is crucial for users to exercise caution when receiving spam emails or to visit phishing websites and to verify the source before downloading any applications”, concludes the researchers.

Network Security Checklist – Download Free E-Book

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

New Satanstealer Malware Steals Browser Cookies and Passwords

A new malware named "Satanstealer" has been identified, targeting browser cookies and passwords. The discovery…

23 mins ago

Microsoft Unveils Ways To Detect Compromised Devices In Your Organization

Microsoft has announced a new way to spot potentially hacked machines in your organization.  Analysts…

36 mins ago

New ScriptBlock Smuggling Attack Let Ackers Bypass PowerShell Security Logs And AMSI

Ever since the introduction of PowerShell v5, there have been less usage of the application…

53 mins ago

Hackers Leveraging New Social Engineering To Run PowerShell And Install Malware

Hackers use social engineering as it focuses on the psychological rather than technological aspects of…

3 hours ago

Hackers Attacking Hotel Owners & Employees as Potential Guests

Since last summer, hotel owners and employees have grappled with a surge in malicious e-mails…

3 hours ago

New OPIX Ransomware Encrypting Files With Random Character String

A recently identified ransomware variant dubbed OPIX encrypts user files using a random character string…

4 hours ago