Researchers have discovered that the latest version of the Rhadamanthys infostealer malware now integrates AI capabilities into its architecture to enhance its functionality. In its latest report, Insikt Group, the threat research division of Recorded Future, profiles the advancements of Rhadamanthys infostealer v0.7.0.
Initially identified in 2022, the advanced Information Stealer (Infostealer) targets entities in the former USSR, including Russia and is increasingly targeting regions in North and South America. It primarily focuses on cryptocurrency wallets.
Like other infostealers, Rhadamanthys breaches systems to steal sensitive information, such as user credentials, financial data, and other personally identifiable information. It also operates as a Malware-as-a-Service (Maas), with a normal tier priced at $250 for 30 days or $550 for 90 days, and a VIP license available for $300 for 30 days or $750 for 90 days.
Rhadamanthys’ latest strain features new advanced capabilities such as evasion through Microsoft Installers (MSI), which allows attackers to disguise the malware as legitimate software. However, the defining feature of this version is in the exfiltration stage, which incorporates an AI-powered image recognition technology known as Optical Character Recognition (OCR).
Optical Character Recognition (OCR) is an Artificial Intelligence technology that enables machines to read and extract text from images or scanned documents. It works by analysing visual input, detecting text characters within it, and converting them into a machine-readable format.
Rhadamanthys uses this AI-powered OCR to extract cryptocurrency seed phrases from images stored on compromised systems.
A seed phrase is a set of randomly generated words that are used to recover access to a cryptocurrency wallet. These phrases act as a backup for the wallet’s private keys. Private keys are usually required to access and control cryptocurrency accounts. However, in case the user loses access to their device or account, the seed phrase serves as a form of code to recover the wallet.
Image of a Seed Phrase
Credit: locker.io
Many users store these seed phrases in image formats like screenshots, thinking it is a safer alternative to storing them as plain text.
By leveraging OCR, the infostealer can scan these images for the seed phrases and convert the text within the images into a readable format. Once the algorithm extracts the plaintext, the latter is exfiltrated to the attackers’ dedicated Command and Control (C2) server.
Despite the malware’s developer, identified as “kingcrete2022,” facing bans on some underground forums for allegedly targeting Russian entities, the malware continues to be advertised on private messaging platforms like TOX and Telegram.
To mitigate the activities of Rhadamanthys, Insikt Group recommends the following:
- Mutex-Based Kill Switch: By setting up known Rhadamanthys mutexes on non-infected machines, organizations can create a kill switch to stop the malware from running its stealers and extensions.
- Advanced Detection Rules: Insikt has developed detection rules using Sigma, Snort, and YARA to help identify Rhadamanthys activity, giving security teams a better chance to respond.
- Endpoint Protection: Implementing Endpoint Detection and Response (EDR) solutions, enforcing the principle of least privilege, and ensuring Multi-Factor Authentication (MFA) for sensitive systems will also help in protecting against this threat and minimizing the impact of stolen credentials.
The improved infostealer reaffirms that AI is increasingly being used as a tool by adversaries. Rhadamanthys continues to evolve at a rapid pace, with the next version (0.8.0) already in development. This ongoing evolution suggests that new AI-based advanced features are likely to emerge in future versions. Therefore, it is important that cyber defenders stay vigilant and strengthen their capabilities to effectively combat these threats.