Unveiling the Cyber Underworld: Rhadamanthys and AsyncRAT - The Evolution of Stealthy Threats 🌐🔒 #Cybersecurity #MalwareMayhem

Recent reports from cybersecurity firm Check Point indicate that the developers behind the information-stealing malware, Rhadamanthys, are actively enhancing its features and expanding its capabilities through a plugin system. This evolution transforms it into a more customizable and potent threat.

Rhadamanthys, initially documented in October 2022, operates under the malware-as-a-service (MaaS) model and has been sold by an actor known as "kingcrete2022." It is commonly distributed through malicious websites mimicking genuine software sites advertised through Google ads.

Rhadamanthys Features and Evolution

As of the latest update, version 0.5.2, Rhadamanthys exhibits a new plugin system, turning it into a versatile tool for specific distributor needs. This system allows customers to deploy additional tools tailored to their targets, making it more than just an information stealer.

The malware's components are both active and passive, capable of opening processes, injecting payloads, and searching for specific files to retrieve saved credentials. Notably, a Lua script runner can load up to 100 Lua scripts to extract information from various sources, including cryptocurrency wallets, email clients, FTP services, and more.

Version 0.5.1 introduces clipper functionality to alter clipboard data, diverting cryptocurrency payments to an attacker-controlled wallet. Additionally, it can recover Google Account cookies, expanding its capabilities and making it a potential general-purpose spyware.

"The author keeps enriching the set of available features, trying to make it not only a stealer but a multipurpose bot, by enabling it to load multiple extensions created by a distributor," said security researcher Aleksandra "Hasherezade" Doniec.

AsyncRAT Exploits Legitimate Processes

In a separate development, security researchers at Trend Micro detailed new infection chains involving AsyncRAT, a remote access trojan. The malware leverages a legitimate Microsoft process called aspnet_compiler.exe to deploy itself via phishing attacks.

Similar to Rhadamanthys, AsyncRAT employs code injection into running processes. The multi-stage process involves injecting the AsyncRAT payload into a spawned aspnet_compiler.exe process to establish contact with a command-and-control server stealthily.

AsyncRAT comes with various capabilities, including anti-debugging checks, persistence installation, keylogging, and scanning for crypto wallets in specific directories. Threat actors behind AsyncRAT have been observed using Dynamic DNS (DDNS) to obfuscate their activities.

"The use of dynamic host servers allows threat actors to seamlessly update their IP addresses, strengthening their ability to remain undetected within the system," noted the researchers.

These developments highlight the continuous evolution and sophistication of malware, underscoring the importance of robust cybersecurity measures to detect and mitigate such threats.