Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Crytocurrency Fraud. Show all posts

Rhadamanthys: Malware Hidden in Google Ads


Threat actors are establishing fraudulent websites for popular free and open-source software in order to promote malicious downloads via advertisements present in the Google search result. 

The info-stealing malware Rhadamanthys uses Google advertisements as a means of luring people into downloading malicious software. The malware steals information including email addresses and passwords in addition to focusing on cryptocurrency wallet credentials. 

Rhadamanthys is sold to criminals as malware-as-a-service (MaaS), and its utility has multiplied as infostealers become a popular tactic to attack targets. 

As of yet, at least one prominent user on the cryptocurrency scene has fallen prey following the malware campaign. According to the victims, the hackers had stolen all their digital crypto assets, along with having access to their professional and personal accounts. 

What is Rhadamanthys? 

According to threat researcher Germán Fernández, Rhadamanthys, named after the demigod child of Zeus and Europa in Greek mythology, has been dominating Google advertising for the widely used OBS (Open Broadcasting Tool) platform, a free video recording, and streaming service. 

Since November 2022, Rhadamanthys’ popularity has been growing rapidly. It has now advanced to a point where, if an online user searches for an OBS, they will eventually encounter five malicious ads at the apex of their Google searches, before seeing legitimate results below. 

A user may download malware, alongside legitimate software after he clicks on these advertisement links. 

In one such instance, 'Alex', a crypto influencer, better known by his online persona NFT God, was hacked following the download of a fraudulent executable for the OBS video recording and streaming program, through Google’s search results. His life was permanently altered when he mistakenly clicked on the fraudulently sponsored advertisement rather than the genuine one. 

“Last night my entire digital livelihood was violated. Every account connected to me both personally and professionally was hacked and used to hurt others. Less importantly, I lost a life changing amount of my net worth,” he tweeted. 

How does Rhadamanthys work? 

According to a report by the security firm Cyble, Rhadamanthys is offered for sale on the dark web and is distributed via spam emails along with Google advertisements. 

Rhadamanthys will start by obtaining relevant device data after a successful intrusion. The data often includes the device's name, model, operating system, OS architecture, hardware details, installed software, IP addresses, and user credentials 

“The Rhadamanthys program is capable of executing certain PowerShell commands[...]It also targets document files, the theft of which (depending on the sensitivity of their data) can cause severe issues for victims,” reads a blog post by cybersecurity firm PCrisk. 

In addition to this, the MaaS targets cryptocurrency wallet credentials by attempting to extract crytowallets’ passwords in order to acquire control of them and their funds. 

“In summary, the presence of stealer-type malware like Rhadamanthys on devices can result in serious privacy issues, significant financial losses, and even identity theft,” PCrisk concluded. 

How Can You Protect Yourself? 

In order to delay the victim’s response, users are advised to evade the malware activity by checking the URL, since the malicious links may seem identical to the official OBS site. The fraudulent URL may contain subtle spelling mistakes, a malicious tactic used to create fake URLs, called Typosquatting.   

Beware of New Advance Fee Fraud Scheme Targeting Cryptocurrency Users

Researchers at Proofpoint have detected a new series of email fraud campaigns trying to lure potential victims with the promise of a considerable amount of tax-free cryptocurrency.

In this new Advance Fee Fraud scheme, scammers employ advanced social engineering tactics and send potential target functioning sets of login credentials to fake cryptocurrency exchange platforms and then tempt victims with the promise of being able to withdraw hundreds of thousands of dollars worth of cryptocurrency from an already established account on the platform.

Sophisticated Campaigns 

Although similar to other conventional Advance Fee Fraud techniques, these new campaigns are highly sophisticated from a technical point of view and are fully automated. They also require substantial victim interaction as a victim would first need to login into the platform and create their own account on it to even begin trying to withdraw any cryptocurrency. 

In a new write-up, Proofpoint researchers highlight the fact that the use of cryptocurrency is notable because it delivers anonymity for both the scammer and the potential target. Potential victims may fall into the trap of how the money would be acquired anonymously and tax-free since it is in Bitcoin.

Proofpoint researchers say they first discovered the campaign in May 2021 using a coins45[.]com landing page. The most recent version, which started in July, directs potential victims to securecoins[.]net. 

According to the Proofpoint researchers, every single email strategy has been dispatched to anywhere from tens to hundreds of recipients across the globe. However, emails from the same campaign comprise the same credentials for all recipients and it appears that multiple people can log in with the same user ID and password if they log in from a unique IP address and browser. The moment the potential target changes the password and adds a contact number though, the account becomes exclusive and victims will not see any traces of other victims' activities. 

Consumers that create an account for the phony cryptocurrency platform will see that there is 28.85 BTC in their bitcoin wallet. To get this money out of their funds, victims first require to transfer 0.0001 BTC to ensure everything works smoothly. After successfully accomplishing this, victims discover that the minimum withdrawal amount is 29.029 BTC and they must add more money in order to be able to withdraw the full amount. However, even if they do add the required funds, they won't be able to withdraw all of their Bitcoin from their account on the platform. 

As is the case with other email fraud campaigns, users need to remain cautious of any emails from unknown senders promising them a financial incentive. While Proofpoint has identified and brought light to a number of these campaigns, the firm's researchers believe that the scammers accountable will continue to evolve their strategies in future campaigns.