TA547 Phishing Campaign Uses Rhadamanthys Stealer In Evolving Phishing Attacks

Image Credit by Pixabay

VTA-004479 – TA547 Phishing Campaign Uses Rhadamanthys Stealer In Evolving Phishing Attacks

TA547, a financially motivated cybercriminal group, has targeted German organizations with a new information stealer called Rhadamanthys. The attack used invoice-themed phishing emails impersonating german company Metro AG. The emails contained a password-protected ZIP archive that launched a Rhadamanthys stealer directly in memory when opened. Researchers suspect the PowerShell script used in the attack might have been generated by a large language model (LLM) due to its grammatically correct and specific comments. This campaign highlights TA547’s evolving tactics and the potential use of AI-generated content in malware attacks. Phishing campaigns are also employing new tactics such as voice message lures and SVG image embedding to steal credentials. Agent Tesla malware is on the rise due to its affordability and data exfiltration capabilities. Social engineering campaigns are using malicious ads to trick users into downloading fake software installers that deploy information stealers and trojans. Experts recommend using group policies to restrict traffic from ad networks to protect endpoints from malicious ads.

Severity:
Medium

Attack Surfaces:
Email, Endpoint, Endpoint OS, File Storage, File Transfer, Messaging, Office 365

Tactics:
Credential Access, Discovery, Execution, Impact, Initial Access, Lateral Movement, Privilege Escalation, Reconnaissance

Technique:
T1566 – Phishing
T1496 – Resource Hijacking
T1055 – Process Injection
T1056 – Input Capture
T1218 – Signed Binary Proxy Execution
T1070 – Indicator Removal on Host
T1106 – Native API
T1497 – Virtualization/Sandbox Evasion

Indicator of Compromise:
https://otx.alienvault.com/pulse/66184124f472bbb045e39c34

References:
1.https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer

SuperPRO’s Threat Countermeasures Procedures: 
1. Train employees to identify phishing emails including common red flags.
2. Utilize robust spam filters to detect suspicious emails before they reach employee inboxes.
3. Enforce complex and unique passwords for all employee accounts and enable MFA.
4. Regularly update operating systems, software, and firmware to address security vulnerabilities that attackers might exploit.
5. Consider implementing group policies to restrict traffic from ad networks known to harbor malicious ads
6. Implement network segmentation to isolate critical and sensitive data from public network.

Contributed by: Kai Sheng