February 21, 2024
Analysis of Rhadamanthys Malware

In the final quarter of 2022, the infostealer malware, Rhadamanthys, was found. Given that it could target browser extensions and wallet clients installed on the victim’s computer, its capabilities demonstrated a particular interest in cryptocurrency wallets.

The primary means of distribution for this threat that have been noticed are phishing emails and phony software websites that are advertised through Google Ads, regardless of the vertical or region.

Although its distribution and information theft methods have been observed previously, its downloader component makes it stand out. It analyzes by conventional security methods extremely difficult by combining sophisticated anti-analysis techniques with heavy obfuscation.

With a staged execution that employs multiple anti-analysis techniques, the Rhadamanthys downloader is primarily written in C++. 

  • Obfuscator for virtual machines (VMs). 
  • strong VM and sandbox detection powers. both from the open-source program al-khaser and imported from it. 
  • bespoke file format using the embedded file system. 

The anti-analysis properties of Rhadamanthys have not gone unnoticed. The Quake 3 VM is the VM obfuscator that was employed, Zscaler investigators discovered. Moreover, the analysts connected those unique file formats to those employed by Hidden Bee, a cryptocurrency miner. CheckPoint recently released a thorough examination of the virtual filesystem’s internal operations.  

Shellcode Dancing: Examining Rhadamanthys Stealer

A recently developed C++ information-stealer is called Rhadamanthys. The malware has reportedly been active since late 2022, according to numerous reports.

To gain an early foothold, the malware also seems to pose as trustworthy programs, including AnyDesk installers and Google Ads.

When it comes to usage, the creators of the malware offer a variety of incentives on the dark web, including lifetime or monthly payments.

The authors also highlight the malware’s ability to execute other processes, including Powershell, and steal digital currency in addition to gathering system information.

I will examine the Rhadamanthys stealer in this post and reverse engineer every step of the process, from the malware itself to the initial dropper.

As usual, I’ll cover it in a combination of a slide show and a step-by-step tutorial, with an emphasis on the aspects that interest me the most (the ways the malware tries to evade detection)

The Dropper

Like many droppers, the Rhadamanthys’s dropper is a 32-bit file with a comparatively large entropy, suggesting that it may contain packed content.

The ability to check if the ASLR feature is enabled is one of PEstudio’s more recent additions. For tracking purposes, I always prefer to disable the ASLR in my analysis so that the addresses in XDBG and IDA are identical.

You can see if something is true (enabled) or false (disabled) under the “detail” column in PEstudio by selecting “optional-header” and then the ASLR bar.

Unpacking process: reaching the initial shellcode

A sizable embedded “blob” can be seen in the. data section of the dropper when we examine it in IDA. These blobs typically have the potential to contain data that will be decrypted at runtime.

The primary function responsible for encrypting the blob will then be function sub 408028. There are two intriguing functions in sub_408028:

  • sub_406A28: This function is in charge of giving back an address with the data that needs to be written.
  • sub_408528, a memcpy wrapper

The embedded blob will be written into the freshly formed heap during the initial iteration.

The shellcode will then be copied from the heap to the new memory using memcpy after a call to VirtualAlloc to create a newly allocated memory block. Lastly, the permission of the memory segment will be changed to RWX using a VirtualProtect API call.

Next, we’ll navigate to address 004065A1 in the WinMain function (keep in mind that ASLR is turned off to facilitate easy navigation in both IDA and the debugger).

We could observe that the value of the offset variable 42F6F0 is receiving the value of the shellcode, which is dynamically located in the EAX register.

Callback-based shellcode execution

Once we have shellcode with EXECUTE permission, we need a way to run it. The authors here have chosen a clever workaround in the form of a Callback function.

The shellcode will be executed as follows:

1. It is the function sub_405728 that calls the ImmEnumInputContext API call.

2. Function sub_407228, which is merely a wrapper for another function that jumps to the shellcode address, is received as a parameter by sub_405728.

3. In the end, ImmEnumInputContext will execute the shellcode after obtaining its address from its second argument, “lpfn.”

Amendment

  • Block every threat indicator at each control.
  • Utilize the security controls that apply to your environment to look for indicators of compromise (IOCs).
  • Always exercise caution when responding to emails from senders you are not familiar with.
  • “Links and attachments received from unknown sources/senders” should never be trusted or opened.
  • Ensure that all servers and computer networks are regularly backed up.

Finally, Rhadamanthys runs the shellcode loader for the main module, which decrypts the final layer of the module by generating an AES key from the public key and the configuration structure’s salt value. The LZSS algorithm is then used to decompress the decrypted output.

NOTE: The word “!HADES” should appear at the beginning of the anticipated decrypted output.

Note that Rhadamanthys’s process for generating the Elliptic Curve keys has a major flaw, even though the network communications are protected by a secure encryption algorithm. 

When it runs, it first calls the C function time to find out the compromised machine’s current epoch time. Then, it calls the srand function, passing the epoch time as a seed. Lastly, it calls the C function rand to produce the secret scalar value.

Therefore, if we have a network capture of the initial request to the server that contains the public key and the epoch time, we can brute-force the generated keys.

Leave a Reply

Your email address will not be published. Required fields are marked *