Info-stealing malware Rhadamanthys is hijacking Google ads to lure victims into downloading malicious software. The malware lifts data like passwords and email addresses as well as targeting cryptocurrency wallet credentials. Marketed to criminals as malware-as-a-service (MaaS), the popularity of Rhadamanthys is rising as infostealers become a popular way to attack targets.
Rhadamanthys is named after the demigod child of Zeus and Europa in Greek mythology, and has been occupying Google ads for free video recording and streaming service OBS (Open Broadcasting Service), a platform widely used by streamers, according to threat researcher Germán Fernández.
Malware Rhadamanthys hijacks Google ads
Rhadamanthys has been growing in popularity since November last year. It has now advanced to a point where, if a user searches for OBS they will be met with five dangerous ads at the top of their Google search before legitimate results appear below, the cybercriminals having apparently purchased advertising spots on Google.
Tech Monitor has reached out for comment from Google but has had no response at the time of writing.
Clicking on the advertised links leads the user to download the legitimate software alongside the malware. in order to delay the victim’s response. Avoid the malware by checking the URL. Some of the links are very similar to the official OBS site, but with a subtle spelling mistake, a technique known as typosquatting.
Not all countries are receiving the same corrupted ads. Fernández has found a wealth of evidence for the MaaS being advertised in South America, but the adverts appear to be less prevalent in Europe and the US.
How does Rhadamanthys work?
Rhadamanthys is available for sale on the dark web and, alongside Google ads, is shared via spam email, according to a report by security company Cyble.
Following successful infiltration, Rhadamanthys will begin by gathering relevant device data, often including device name, model, operating system, OS architecture, hardware details, installed software, IP addresses and user credentials.
“The Rhadamanthys program is capable of executing certain PowerShell commands,” says a blog post by cybersecurity portal PCrisk. “It also targets document files, the theft of which (depending on the sensitivity of their data) can cause severe issues for victims.”
The MaaS targets cryptocurrency wallet credentials as well. It attempts to extract the passwords of cryptowallets in order to take possession of them and their funds. Future iterations of Rhadamanthys will probably become more effective meaning more credentials will be at risk.
“In summary,” the PCrisk post says, “the presence of stealer-type malware like Rhadamanthys on devices can result in serious privacy issues, significant financial losses, and even identity theft.”
The rise of the malware marketplace
According to Accenture’s cyber threat intelligence team, info-stealing malware has become one of the most discussed malware types among cybercriminals. This is due to its ability to harvest cookie data, usernames and passwords. It is often made available as MaaS, allowing cybercriminals with low resources or skill to deploy the malware and access other networks on the cheap by simply buying the software they need to gain access.
The growing availability of MaaS is, in turn, increasing the use of credential marketplaces, as more hackers seek to sell their stolen data. Examples of this include Russian Market, where the dark web marketplace allows visitors to search for inventory by malware used, victim operating system and victim location.
Russian Market was one of the most popular sites in 2022 based on volume of logs available for sale, continues the Accenture report, “with victim data sold for an average price of $10 per log”. The total number of logs for sale in this market rose by nearly 40% from approximately 3.3 million to 4.5 million between July and October 2022, demonstrating the size of this growing problem.