Laugh (sufficiently), learn (efficiently), and then let us know what you think in our comments (anonymously, if you wish)…
Related Posts
Rhadamanthys Stealer Using Weaponized PDF Files To Attack Oil And Gas Sector
Rhadamanthys Stealer Using Weaponized PDF Files To Attack Oil And Gas Sector
[[{“value”:”
Hackers use weaponized PDF files as they have the ability to incorporate malicious codes or scripts within a well-known and trusted form of PDF which is often not detected by security measures.
If the person opens one such malicious document, it may release malware payloads, steal sensitive data, or run random code on the infected device.
For hackers, these are useful ways into targeted systems as PDFs are common and everyday things. Cybersecurity researchers at Cofense recently discovered a malicious campaign in which Rhadamanthys stealer has been actively using weaponized PDF files to attack the oil and gas sector.
Document
Run Free ThreatScan on Your Mailbox
AI-Powered Protection for Business Email Security
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Rhadamanthys Stealer Via Weaponized PDF
The campaign mainly focused on the Oil & Gas sector but could change to other sectors.
It managed to achieve an alarming email delivery success by combining TTPs such as trusted domains, redirects, and clickable images to evade email security.
Rhadamanthys Stealer malware executable was used to download a malicious PDF during the infection chain.
Campaign emails were crafted with a vehicle incident theme, with embedded links abusing open redirect vulnerability on legitimate Google domains to redirect victims.
The link led to a URL shortener obfuscating the final destination, a malicious PDF file on a newly registered domain.
The clickable PDF spoofed the Federal Bureau of Transportation and prompted the downloading of a malicious ZIP containing the Rhadamanthys Stealer executable. Malware connected to the C2 server to exfiltrate stolen data.
Threat actors try to use vehicle incidents as phishing lures, crafting emails that will appeal to emotions.
Every email is different, but they all summarize into employer notifications of car accidents with the intent to deceive.
The general theme still continues even though there are variations.
The word cloud shows key phrases and emotional words such as “urgent” and “important.” The phishing threat intensifies significantly when familiar tactics are combined with socially engineered baits.
Emails had randomly generated subjects related to vehicle incidents, possibly using AI for phrasing variety. Abused Google open redirects for false legitimacy fitting vehicle theme.
Eventually led to a convincing malicious PDF image appearing to be from the Federal Bureau of Transportation regarding the vehicle incident and fine, taking advantage of victim’s distress.
Multilayered redirection and hosting tactics attempted to bypass security.
Phishing Email Subjects
Here below we have mentioned all the Phishing email subjects:-
Urgent: Review Information Approximately Your Car Accident
Attention Needed: Your Vehicle’s Collision
Incident Implicating Your Car: Insistent Care Required
Notification: Incident Involving Your Vehicle
Your Automobile Incident: Urgent Legal action Needed
The campaign’s sophisticated social engineering and evasive TTPs aimed to deliver Rhadamanthys Stealer, an uncommon but advanced C++ infostealer malware offered as MaaS, targeting credentials, sensitive data, and cryptocurrencies.
Malware connects to a unique C2 URL upon infection. Rhadamanthys’ sudden appearance after receiving major updates to enhance capabilities likely motivated threat actors given the short timeframe.
High pricing suggests access is limited to skilled threat actors.
The Rhadamanthys Stealer campaign emerged shortly after law enforcement’s takedown of the prolific LockBit Ransomware-as-a-Service (RaaS) group, likely impacting threat actors who previously employed LockBit’s services.
The timing and similarities between RaaS and the infostealer’s MaaS model suggest threat actors transitioned to Rhadamanthys as an alternative.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide
The post Rhadamanthys Stealer Using Weaponized PDF Files To Attack Oil And Gas Sector appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
US Offers $10 Million for Information on BlackCat Ransomware Leaders
US Offers $10 Million for Information on BlackCat Ransomware Leaders
[[{“value”:”
The US announces a $10 million reward for information on key members of the Alphv/BlackCat ransomware group.
The post US Offers $10 Million for Information on BlackCat Ransomware Leaders appeared first on SecurityWeek.
“}]] Read More
SecurityWeek RSS Feed
Fake F5 BIG-IP zero-day warning emails push data wipers
Fake F5 BIG-IP zero-day warning emails push data wipers
The Israel National Cyber Directorate warns of phishing emails pretending to be F5 BIG-IP zero-day security updates that deploy Windows and Linux data wipers. […] Read More
BleepingComputer