Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
How phishing emails in Hebrew are disguised as well-known media outlets.
In the world of cyberthreats, a new malware campaign has appeared, targeting users from Israel, using the advanced RHADAMANTHYS virus. This virus poses a serious threat to organizations and ordinary users, demonstrating sophisticated infection methods and powerful data theft capabilities.
RHADAMANTHYS first appeared at the end of 2023 and began to spread rapidly in closed cybercrime forums using the MaaS (malware as a service) model. The name of the virus is associated with the mythological character Rhadamanthus, the judge of the dead, which emphasizes its ability to collect data.
The attack begins with an elaborate phishing email in Hebrew. The message, disguised as the well-known Israeli media "Calcalist" and "Mako", contains an urgent notice of copyright infringement. The email is written in professional language that mimics business correspondence and calls for action within 24 hours. The attachment contains a RAR archive disguised as important legal documents.
After unpacking the archive, the potential victim sees three components at once: an executable file with the name in Hebrew, a DLL file "msimg32.dll", as well as a certain auxiliary file of 142.8 MB.
After opening the executable file, a multi-stage infection process begins. The virus checks for the presence of analysis tools in the system and uses methods to bypass them. It then injects its code into legitimate Windows processes. Among the processes reviewed by the researchers, the following processes were affected: "OpenWith.exe", "OOBE-Maintenance.exe", "dllhost.exe"
The malware immediately detects VMs and debuggers, using time delays to bypass sandboxes. It also makes changes to the Windows registry to run on every system startup.
Malicious features of RHADAMANTHYS include collecting passwords, cryptocurrency wallet data, system information, office documents, screenshots, and keystrokes.
RHADAMANTHYS uses encrypted communication channels to interact with command servers. The main server in the considered campaign was located at the IP address 103.68.109.208, using ports 443 and 1630.
To protect against RHADAMANTHYS, it is recommended to install reliable email filters, sandboxes for analyzing attachments, conduct regular training of employees on phishing issues, use modern solutions to protect endpoints, limit the ability to move within the network, regularly back up data, install all updates and patches, and use multi-factor authentication.
The arrival of RHADAMANTHYS highlights the growing professionalism in the cybercrime ecosystem and the need for constant vigilance. The virus poses a serious threat, demonstrating sophisticated methods of data theft and circumventing security mechanisms.
Source
In the world of cyberthreats, a new malware campaign has appeared, targeting users from Israel, using the advanced RHADAMANTHYS virus. This virus poses a serious threat to organizations and ordinary users, demonstrating sophisticated infection methods and powerful data theft capabilities.
RHADAMANTHYS first appeared at the end of 2023 and began to spread rapidly in closed cybercrime forums using the MaaS (malware as a service) model. The name of the virus is associated with the mythological character Rhadamanthus, the judge of the dead, which emphasizes its ability to collect data.
The attack begins with an elaborate phishing email in Hebrew. The message, disguised as the well-known Israeli media "Calcalist" and "Mako", contains an urgent notice of copyright infringement. The email is written in professional language that mimics business correspondence and calls for action within 24 hours. The attachment contains a RAR archive disguised as important legal documents.
After unpacking the archive, the potential victim sees three components at once: an executable file with the name in Hebrew, a DLL file "msimg32.dll", as well as a certain auxiliary file of 142.8 MB.
After opening the executable file, a multi-stage infection process begins. The virus checks for the presence of analysis tools in the system and uses methods to bypass them. It then injects its code into legitimate Windows processes. Among the processes reviewed by the researchers, the following processes were affected: "OpenWith.exe", "OOBE-Maintenance.exe", "dllhost.exe"
The malware immediately detects VMs and debuggers, using time delays to bypass sandboxes. It also makes changes to the Windows registry to run on every system startup.
Malicious features of RHADAMANTHYS include collecting passwords, cryptocurrency wallet data, system information, office documents, screenshots, and keystrokes.
RHADAMANTHYS uses encrypted communication channels to interact with command servers. The main server in the considered campaign was located at the IP address 103.68.109.208, using ports 443 and 1630.
To protect against RHADAMANTHYS, it is recommended to install reliable email filters, sandboxes for analyzing attachments, conduct regular training of employees on phishing issues, use modern solutions to protect endpoints, limit the ability to move within the network, regularly back up data, install all updates and patches, and use multi-factor authentication.
The arrival of RHADAMANTHYS highlights the growing professionalism in the cybercrime ecosystem and the need for constant vigilance. The virus poses a serious threat, demonstrating sophisticated methods of data theft and circumventing security mechanisms.
Source
