New phishing campaign in oil and gas sectors
Cofense Intelligence has detected a highly sophisticated phishing campaign aimed at the Oil and Gas sector, utilizing an advanced Malware-as-a-Service (MaaS) known as Rhadamanthys Stealer.
This campaign stands out due to its timing, emerging shortly after law enforcement dismantled the LockBit ransomware group, hinting at a potential shift in tactics among cybercriminals. Rhadamanthys Stealer, recently updated on the underground market, boasts improved capabilities, allowing threat actors to pilfer a broad array of sensitive data from targeted devices.
The scheme kicks off with phishing emails using a fake vehicle incident report to lure victims, prompting them to click on a link exploiting open redirects on legitimate domains like Google Maps or Google Images. After navigating through several redirects, victims land on an interactive PDF hosted on a newly registered domain. This PDF, disguised as a clickable image, initiates the download of a ZIP archive from a GitHub repository containing the Rhadamanthys Stealer executable. Once activated, the malware establishes communication with a command and control (C2) server to harvest stolen credentials, cryptocurrency wallets, and other sensitive information.
Programmed in C++, Rhadamanthys Stealer comes equipped with various features facilitating data exfiltration, including device details, document files, and credentials stored in different applications and browsers. Recent updates to version 5.0 provide threat actors with enhanced customization options and additional tactics to evade security measures and exploit vulnerabilities.
This campaign underscores the ever-evolving sophistication of cyber threats targeting specific sectors like Oil and Gas, emphasizing the critical need for robust cybersecurity measures. Cofense clients can access detailed indicators of compromise (IOCs) via the Active Threat Report on ThreatHQ. As organizations confront these threats, proactive security measures and employee training on recognizing and thwarting phishing attacks and advanced malware are essential in mitigating associated risks.
