Threat actors make use of fast-evolving multi-layer malware for their complexity and sophistication, as they offer the ability to rapidly adapt and change their code.
To make analysis and countermeasures more difficult, this sophisticated type of malware often employs the following key things:-.
Cybersecurity researchers at Check Point recently discovered the Rhadamanthys, an information stealer sold on the Dark Web's black markets and frequently updated.
Rhadamanthys gained attention in a September 2022 black market ad, and it's known for its rich features and polished design.
Though it's largely rewritten, the 32-bit Windows PE initial loader for Rhadamanthys retains artifacts from the previous version.
Configuration and additional modules are embedded in the initial executable, unpacked during execution, and passed to subsequent stages.
Textbss, which was initially empty, was filled at runtime with shellcode, similar to previous versions, but now unpacks and loads the first module regardless of location.
The XS1-format component was exposed in the second loading stage, and the change was detected in the initial triage during the string dump attempt.
The Flare FLOSS unveiled module hints through dumped strings, which the author now obfuscates.
The new release introduces TLS for temporary buffers, especially in decoding obfuscated strings.
TLS is allocated in init xs module, TlsAlloc value is stored globally, and a custom structure is attached to TLS for buffer allocation.
The saved buffer was retrieved for multiple uses in deobfuscating data like strings.
The string decryption function was passed as a callback, and the buffer was cleared after use.
String deobfuscation algorithms vary at different malware stages.
Rhadamanthys modules employ raw syscalls for native API calls, evading hooking and obfuscating API names.
Both 32 and 64-bit modules use raw syscalls; WoW64 process syscall execution is handled with Heaven's Gate technique.
Stage 2 modules prepare and obfuscate stealers in package no.
2 from C2. Netclient connects to C2, downloads payload in WAV format, verifies with hash, and decrypts the XS1 module using the proto module.
XS1 then loads subsequent stages, and finally, coredll.
Bin coordinates tasks, reports to C2, and initializes built-in stealers.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 15 Dec 2023 15:00:26 +0000