Threat actors are establishing fraudulent websites for popular free and open-source software in order to promote malicious downloads via advertisements present in the Google search result.
The info-stealing malware Rhadamanthys uses Google advertisements as a means of luring people into downloading malicious software. The malware steals information including email addresses and passwords in addition to focusing on cryptocurrency wallet credentials.
Rhadamanthys is sold to criminals as malware-as-a-service (MaaS), and its utility has multiplied as infostealers become a popular tactic to attack targets.
As of yet, at least one prominent user on the cryptocurrency scene has fallen prey following the malware campaign. According to the victims, the hackers had stolen all their digital crypto assets, along with having access to their professional and personal accounts.
What is Rhadamanthys?
According to threat researcher Germán Fernández, Rhadamanthys, named after the demigod child of Zeus and Europa in Greek mythology, has been dominating Google advertising for the widely used OBS (Open Broadcasting Tool) platform, a free video recording, and streaming service.
Since November 2022, Rhadamanthys’ popularity has been growing rapidly. It has now advanced to a point where, if an online user searches for an OBS, they will eventually encounter five malicious ads at the apex of their Google searches, before seeing legitimate results below.
A user may download malware, alongside legitimate software after he clicks on these advertisement links.
In one such instance, 'Alex', a crypto influencer, better known by his online persona NFT God, was hacked following the download of a fraudulent executable for the OBS video recording and streaming program, through Google’s search results. His life was permanently altered when he mistakenly clicked on the fraudulently sponsored advertisement rather than the genuine one.
“Last night my entire digital livelihood was violated. Every account connected to me both personally and professionally was hacked and used to hurt others. Less importantly, I lost a life changing amount of my net worth,” he tweeted.
How does Rhadamanthys work?
According to a report by the security firm Cyble, Rhadamanthys is offered for sale on the dark web and is distributed via spam emails along with Google advertisements.
Rhadamanthys will start by obtaining relevant device data after a successful intrusion. The data often includes the device's name, model, operating system, OS architecture, hardware details, installed software, IP addresses, and user credentials
“The Rhadamanthys program is capable of executing certain PowerShell commands[...]It also targets document files, the theft of which (depending on the sensitivity of their data) can cause severe issues for victims,” reads a blog post by cybersecurity firm PCrisk.
In addition to this, the MaaS targets cryptocurrency wallet credentials by attempting to extract crytowallets’ passwords in order to acquire control of them and their funds.
“In summary, the presence of stealer-type malware like Rhadamanthys on devices can result in serious privacy issues, significant financial losses, and even identity theft,” PCrisk concluded.
How Can You Protect Yourself?
In order to delay the victim’s response, users are advised to evade the malware activity by checking the URL, since the malicious links may seem identical to the official OBS site. The fraudulent URL may contain subtle spelling mistakes, a malicious tactic used to create fake URLs, called Typosquatting.
