Rhadamanthys Malware Disguised as Groupware Installer Detected by MDS

Recently, AhnLab SEcurity intelligence Center (ASEC) discovered the distribution of Rhadamanthys under the guise of an installer for groupware. The threat actor created a fake website to resemble the original website and exposed the site to the users using the ad feature in search engines. ASEC Blog has previously covered malware distributed through such ad features of search engines in the article titled “Hey, This Isn’t the Right Site!” Distribution of Malware Exploiting Google Ads Tracking [1].

The malware in distribution uses the indirect syscall technique to hide from the eyes of security solutions. With this technique, the malware can bypass user-mode hooks used in anti-malware and analysis programs.

Figure 1. Comparing the call flows (Normal ReadFile() API call flow vs. Indirect syscall call flow)

Generally, when calling the ReadFile() API in executable files, kernel32.dll, kernelbase.dll, and ntdll.dll modules are called in order internally. Then the necessary arguments and NtReadFile’s system call number 0x6 are saved to the register to call syscall.

Figure 2. Normal ReadFile() API call flow

In a normal native API call process as shown above, the stub code and the system call number are saved to the register from ntdll before syscall is called. In the case of the indirect syscall technique used in Rhadamanthys, however, the stub code and the system call number are manually saved to the register. The malware then branches to the address with the syscall command in the ntdll.dll area to allow syscall to be called in the ntdll memory area.

Figure 3. Indirect syscall call flow

Rhadamanthys reads the normal Windows file c:windowssystem32ntdll.dll and memory-maps the unhooked ntdll.dll. Then, to bypass detection, it uses the memory-mapped ntdll.dll to save the necessary stub code and the system call number to the register and then branches to the syscall address of the loaded ntdll module.

Rhadamanthys evades detection through the method explained above and injects itself into the normal Windows system program dialer.exe in the %system32% path. The following is a list of target processes for injection, identified through malware strains distributed in similar methods.

  • %system32%dialer.exe
  • %system32%openwith.exe
  • %system32%dllhost.exe
  • %system32%rundll32.exe

The injected processes are executed after being injected again into a normal program in the “C:Program FilesWindows Media Player” path. Below are the names of targeted programs for injection.

Programs targeted for injection
● C:Program FilesWindows Media Playerwmpshare.exe
● C:Program FilesWindows Media Playerwmpnscfg.exe

Rhadamanthys ultimately carries out its role as an infostealer, exfiltrating the user’s information from the PC.

[Detection by MDS]

AhnLab MDS detects such type of malware under the detection name “Injection/MDP.Event.M10231” in sandbox environments.

Figure 4. Malware detected by AhnLab MDS (1)
Figure 5. Malware detected by AhnLab MDS (2)

Every so often, threat actors distribute malware through phishing emails or fake websites disguised as normal websites. Malware strains distributed in such ways can easily trick users into executing them, and in the case of Infostealers, it is especially difficult for users to realize that their system has been infected.

AhnLab MDS, a sandbox-based file analysis solution, analyzes behaviors that occur after executing files in a virtual environment. Information theft is not a behavior displayed by known malware only; unidentified malware types developed by threat actors in APT attacks also show such behavior in the execution stage. AhnLab MDS detects such information-stealing behaviors, enabling administrators to become aware of attacks and prevent subsequent attacks.

[IOC]

[MD5]
9437c89a5f9a51a4ff6d6076083fa6c9

[C2]
147.124.220[.]237:8123

[File Detection]
Trojan/Win.Malware-gen.R637934 (2024.03.08.00)

[Behavior Detection]
Injection/MDP.Event.M10231

AhnLab MDS detects and responds to unknown threats by performing sandbox-based dynamic analysis. For more information about the product, please visit our official website.

Source: Original Post