Pierluigi Paganini April 12, 2024

TA547 group is targeting dozens of German organizations with an information stealer called Rhadamanthys, Proofpoint warns.

Proofpoint researchers observed a threat actor, tracked as TA547, targeting German organizations with an email campaign delivering the Rhadamanthys malware.

TA547 is a financially motivated threat actor that has been active since at least November 2017, it was observed conducting multiple campaigns to deliver a variety of Android and Windows malware, including DanaBot, Gootkit, Lumma stealer, NetSupport RAT, Ursnif, and ZLoader. The group also operates as an initial access broker (IAB) and targets various geographic regions.

The security firm pointed out that this is the first TA547 group to use this malware family. In past campaigns, the group used a PowerShell script likely generated by large language model (LLM) such as ChatGPT, Gemini, CoPilot, etc.  

The TA547 group sent emails to the victims impersonating the German retail company Metro, purportedly related to invoices.

The messages contain a password-protected ZIP file containing an LNK file when opened. Upon executing the LNK file, it triggers PowerShell to run a remote PowerShell script. The remote PowerShell script decoded the Base64-encoded Rhadamanthys executable file stored in a variable and loaded it as an assembly into memory and then executed it. The experts noticed that the malicious code is executed directly in memory without writing any artifact to disk. 

“Notably, when deobfuscated, the second PowerShell script that was used to load Rhadamanthys contained interesting characteristics not commonly observed in code used by threat actors (or legitimate programmers). Specifically, the PowerShell script included a pound sign followed by grammatically correct and hyper specific comments above each component of the script.” reads the report published by Proofpoint. “This is a typical output of LLM-generated coding content, and suggests TA547 used some type of LLM-enabled tool to write (or rewrite) the PowerShell, or copied the script from another source that had used it.”

This campaign exemplifies a shift in techniques by the threat actor, utilizing compressed LNKs and the previously unseen Rhadamanthys stealer malware. The experts also discovered the attempts of using LLM in malware campaigns.

“LLMs can assist threat actors in understanding more sophisticated attack chains used by other threat actors, enabling them to repurpose these techniques once they understand the functionality.  Like LLM-generated social engineering lures, threat actors may incorporate these resources into an overall campaign.” concludes the report. “It is important to note, however, that while TA547 incorporated suspected LLM-generated content into the overall attack chain, it did not change the functionality or the efficacy of the malware or change the way security tools defended against it. In this case, the potentially LLM-generated code was a script which assisted in delivering a malware payload but was not observed to alter the payload itself.” 

The report includes Indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, malware)