NEWS

A new wave of phishing campaigns targeting the oil and gas sector has surfaced, utilizing an updated version of the information-stealing malware Rhadamanthys. Cofense researcher Dylan Duncan revealed that these phishing emails employ a unique lure related to vehicle incidents and spoof the Federal Bureau of Transportation in a PDF to trick recipients.

The emails contain a malicious link leading to a fake PDF document, which, upon clicking, downloads a ZIP archive carrying the Rhadamanthys payload. Written in C++, Rhadamanthys is designed to establish connections with a command-and-control server to extract sensitive data from compromised hosts.

This development comes shortly after the law enforcement takedown of the LockBit ransomware group. Trend Micro had previously identified a Rhadamanthys variant bundled with a leaked LockBit payload, suggesting a potential connection between the two malware families. Furthermore, new information-stealer malware like Sync-Scheduler and Mighty Stealer are emerging, while existing strains like StrelaStealer are evolving with improved obfuscation techniques. Additionally, malspam campaigns targeting Indonesia have been observed, distributing Agent Tesla malware to steal sensitive information such as login credentials and financial data.

Check Point attributed these Agent Tesla phishing campaigns to African-origin threat actors, Bignosa and Gods, who distribute the malware via RoundCube webmail tool secured by Cassandra Protector. The ease of conducting cybercrime operations with these malware families underscores the low-entry threshold for individuals willing to launch spam campaigns, according to Check Point. Overall, the prevalence of these malware families highlights the ongoing challenge posed by cyber threats in various sectors, requiring robust security measures to mitigate risks effectively.