An ongoing phishing campaign, known as CopyRh(ight)adamantys, is leveraging copyright infringement-themed emails to distribute the latest version of the Rhadamanthys information stealer that began in July 2024.

This campaign impersonates numerous companies, tailoring its phishing emails from different Gmail accounts for each target, focusing especially on organizations in the United States, Europe, East Asia, and South America, with about 70 percent of the spoofed businesses belonging to the entertainment, media, technology, and software sectors.

Attackers send spear-phishing messages pretending to be legal representatives of well-known companies, claiming that recipients have misused brand content on social platforms and urging them to remove infringing material. The attackers offer supposed removal instructions in a password-protected archive linked through Dropbox or Discord, and this archive actually contains a vulnerable executable, the Rhadamanthys stealer as a DLL, and a decoy document, using DLL sideloading to deploy the malware.

The technical sophistication and scale of sender variation suggest possible use of AI tools by the attackers, supporting rapid adaptation and widespread targeting, likely driven by financial motives instead of nation-state interests.

Alongside this, new revelations about SteelFox highlight a full-featured crimeware suite circulated as cracked popular utilities through forums and torrents since February 2023, with infection chains that exploit Windows services and drivers, notably abusing the vulnerable WinRing0.sys driver (affected by CVE-2020-14979 and CVE-2021-41285) to gain NT\SYSTEM privileges and facilitate mining via a customized XMRig executable. SteelFox not only mines cryptocurrency but also exfiltrates sensitive data - including credit card details and browser information - over encrypted network channels via TLS 1.3 and SSL pinning, with advanced malware engineering enabling stealthy, persistent, and wide-ranging theft across victim systems.

Source: https://thehackernews.com/2024/11/steelfox-and-rhadamanthys-malware-use.html

Commentary

The above alert regards an emerging spear phishing risk. Spear phishing is a highly targeted form of phishing that involves crafting personalized, deceptive messages aimed at specific individuals or groups, unlike broad phishing campaigns that scatter generic bait widely.

Attackers performing spear phishing often conduct detailed research on their targets to make their emails appear trustworthy and relevant, exploiting human tendencies such as curiosity, the wish to be helpful, and trust in authority.

The goal is usually to trick recipients into revealing sensitive information, clicking malicious links, or opening infected attachments that lead to data theft or system compromise.

Recent statistics show spear phishing remains a dominant vector for cyberattacks, with roughly 3.4 billion phishing emails sent daily overall, accounting for substantial financial and data losses globally.

Organizations suffer great harm from these scams, with one report indicating 57 percent of businesses face phishing attempts weekly or daily, with successful attacks causing millions in damage.

Well-known spear phishing incidents include high-profile CEO frauds where attackers impersonated executives to authorize fraudulent wire transfers totaling tens of millions of dollars, and politically-motivated spear phishing targeting election-related figures with the intent of espionage or disruption.

As these attacks become increasingly sophisticated through the use of artificial intelligence and machine learning, cybercriminals can automate the creation and adaptation of convincing emails, making detection more difficult.

Predictions indicate a continued rise in spear phishing, driven by the integration of AI tools, more elaborate social engineering tactics, and targeting of critical decision-makers in organizations.

To combat this growing menace, cybersecurity strategies are evolving to emphasize proactive employee training, real-time email filtering, and threat intelligence platforms that detect and block attacks earlier in their lifecycle, but the persistent human element - along with advancing attacker sophistication - keeps spear phishing a top threat in the cybersecurity landscape.

The final takeaway is that the rising tide of spear phishing demands vigilance and layered defenses to prevent costly breaches and protect sensitive information.

Additional Sources: https://www.dni.gov/files/NCSC/documents/campaign/Counterintelligence_Tips_Spearphishing.pdf; https://aag-it.com/the-latest-phishing-statistics/; https://csrc.nist.gov/glossary/term/spear_phishing