Rhadamanthys Stealer Using Weaponized PDF Files To Attack Oil And Gas Sector

Hackers use weaponized PDF files as they have the ability to incorporate malicious codes or scripts within a well-known and trusted form of PDF which is often not detected by security measures.

If the person opens one such malicious document, it may release malware payloads, steal sensitive data, or run random code on the infected device.

For hackers, these are useful ways into targeted systems as PDFs are common and everyday things. Cybersecurity researchers at Cofense recently discovered a malicious campaign in which Rhadamanthys stealer has been actively using weaponized PDF files to attack the oil and gas sector.

SIEM as a Service
Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Rhadamanthys Stealer Via Weaponized PDF

The campaign mainly focused on the Oil & Gas sector but could change to other sectors.

It managed to achieve an alarming email delivery success by combining TTPs such as trusted domains, redirects, and clickable images to evade email security.

Rhadamanthys Stealer malware executable was used to download a malicious PDF during the infection chain.

Infection chain (Source – Cofense)

Campaign emails were crafted with a vehicle incident theme, with embedded links abusing open redirect vulnerability on legitimate Google domains to redirect victims.

The link led to a URL shortener obfuscating the final destination, a malicious PDF file on a newly registered domain. 

The clickable PDF spoofed the Federal Bureau of Transportation and prompted the downloading of a malicious ZIP containing the Rhadamanthys Stealer executable. Malware connected to the C2 server to exfiltrate stolen data.

Vehicle incident-themed phishing email delivering Rhadamanthys Stealer (Source – Cofense)

Threat actors try to use vehicle incidents as phishing lures, crafting emails that will appeal to emotions.

Every email is different, but they all summarize into employer notifications of car accidents with the intent to deceive.

The general theme still continues even though there are variations.

The word cloud shows key phrases and emotional words such as “urgent” and “important.” The phishing threat intensifies significantly when familiar tactics are combined with socially engineered baits.

Emails had randomly generated subjects related to vehicle incidents, possibly using AI for phrasing variety. Abused Google open redirects for false legitimacy fitting vehicle theme. 

Eventually led to a convincing malicious PDF image appearing to be from the Federal Bureau of Transportation regarding the vehicle incident and fine, taking advantage of victim’s distress.

Multilayered redirection and hosting tactics attempted to bypass security.

Phishing Email Subjects

Here below we have mentioned all the Phishing email subjects:-

  • Urgent: Review Information Approximately Your Car Accident
  • Attention Needed: Your Vehicle’s Collision
  • Incident Implicating Your Car: Insistent Care Required
  • Notification: Incident Involving Your Vehicle
  • Your Automobile Incident: Urgent Legal action Needed

The campaign’s sophisticated social engineering and evasive TTPs aimed to deliver Rhadamanthys Stealer, an uncommon but advanced C++ infostealer malware offered as MaaS, targeting credentials, sensitive data, and cryptocurrencies. 

Malware connects to a unique C2 URL upon infection. Rhadamanthys’ sudden appearance after receiving major updates to enhance capabilities likely motivated threat actors given the short timeframe.

High pricing suggests access is limited to skilled threat actors.

Rhadamanthys Stealer logo and pricing (Source – Cofense)

The Rhadamanthys Stealer campaign emerged shortly after law enforcement’s takedown of the prolific LockBit Ransomware-as-a-Service (RaaS) group, likely impacting threat actors who previously employed LockBit’s services. 

The timing and similarities between RaaS and the infostealer’s MaaS model suggest threat actors transitioned to Rhadamanthys as an alternative.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.