This report examines the distribution methods, disguise techniques, and trends associated with Infostealer malware observed in March 2025. Key findings highlight the use of SEO-Poisoning for dissemination through cracks, the rise of DLL-SideLoading techniques, and the increasing prevalence of Rhadamanthys Infostealer in various distribution formats. Affected: Infostealer malware, various file hosting services, legitimate websites, security software.
Keypoints :
- AhnLab’s Security Intelligence Center operates automatic systems for malware collection and analysis.
- Infostealers are often disguised as illegal software, including cracks and keygens, using SEO-Poisoning tactics to evade detection.
- The distribution of Infostealers has significantly increased, particularly Rhadamanthys, which uses advanced anti-analysis techniques.
- DLL-SideLoading has become a notable distribution method, with both malicious and normal files being used together to mislead detection systems.
- File hosting services are commonly exploited for malware distribution, while legitimate websites have also been targeted to post infected content.
MITRE Techniques :
- Execution (T1203) – Malware is distributed via legitimate sites, using manipulated DLLs along with common EXE files for execution.
- Command and Control (T1071) – Rhadamanthys communicates with its C2 server via TLS, employing various techniques to obfuscate its activities.
- Defense Evasion (T1562) – DLL-SideLoading techniques are used to disguise malware as legitimate applications to bypass detection.
- Credential Dumping (T1003) – Rhadamanthys infostealer injects itself into normal processes for information theft.
Indicator of Compromise :
- [MD5] 030f54e96db8a7eb0601976cc7997748
- [MD5] 06ec9cbab0c3b1b47e7686ad40d07987
- [MD5] 0ac59d2c40eed713f35c3a1a0baa846b
- [MD5] 0b04a2d692e0679243660865879628b2
- [MD5] 13903bff189171d7da957a50c6fc5840
Full Story: https://asec.ahnlab.com/en/87444/
Views: 32