CopyRh(ight)adamantys: The New Global Cybersecurity Threat Leveraging AI and Phishing Tactics

In a digital landscape where phishing and cyber attacks are ever-evolving, a new threat known as CopyRh(ight)adamantys has emerged, targeting both individual consumers and large organizations globally. Uncovered by cybersecurity researchers at Check Point, this campaign uses fake copyright infringement notices to trick recipients into downloading a powerful malware variant: the Rhadamanthys information stealer.

Did you know the clap counter goes up to 50? Claps let me know what to write!

Like what you’re reading? You can Buy Me a Coffee here to show me you appreciate it! https://buymeacoffee.com/calvinwhitehurst

Share this article with family, friends, and coworkers to make them aware of cybersecurity threats!

Understanding the CopyRh(ight)adamantys Threat

CopyRh(ight)adamantys, named for its combination of “copyright” and the Rhadamanthys malware, represents a new level of sophistication in phishing attacks. The campaign targets users across various sectors, particularly those in media, entertainment, technology, and software. Hackers behind this campaign use AI-powered tools and automation to personalize phishing messages and create large volumes of fake Gmail accounts, enhancing their ability to reach more victims with tailored, believable messages.

The campaign’s premise is simple yet effective: recipients receive an email alleging a copyright infringement on a platform like Facebook, leading them to a password-protected file containing malware. The use of copyright claims exploits the urgency and fear often associated with potential legal violations, making recipients more likely to engage with the content.

How the Campaign Works

The CopyRh(ight)adamantys attack chain typically follows these steps:

1. Phishing Email: Attackers impersonate legitimate companies, sending emails from various Gmail accounts that mimic legal notices about copyright infringement. Almost 70% of impersonated entities are high-profile companies in entertainment and technology, sectors that frequently deal with copyright issues.
2. Malicious Download: Victims are directed to download a password-protected archive from cloud storage platforms like Dropbox or Discord. This archive contains a legitimate-looking executable that, when run, uses DLL sideloading to activate the Rhadamanthys stealer.
3. Infection and Data Theft: Once installed, the malware extracts and exfiltrates sensitive data from the victim’s system, including login credentials, financial information, and cryptocurrency wallet data. The stealer can also establish persistence on the device by embedding itself in system files and creating registry keys.
4. Evasion Techniques: Rhadamanthys includes tactics to bypass detection. For example, it uses DLL sideloading to load malicious code while appearing as a legitimate application. It also adds empty padding to evade hash-based antivirus scans, complicating traditional detection efforts.

The Role of AI in CopyRh(ight)adamantys

While the attackers claim that the Rhadamanthys malware leverages advanced AI, researchers found it primarily uses older machine learning methods for Optical Character Recognition (OCR). This capability allows the malware to automate phishing and adapt messages for different languages and targets. However, limitations remain — some messages have localization errors, such as an Israeli target receiving an email in Korean, revealing the imperfections of the AI-driven automation used.

Despite these flaws, the campaign is an example of how cybercriminals are using AI tools to conduct large-scale attacks with minimal effort. The automated creation of Gmail accounts, coupled with AI-assisted message crafting, allows for broad targeting across different regions, including North and South America, Europe, and East Asia.

Impact and Implications

The financial motivation behind CopyRh(ight)adamantys is clear; the malware is specifically designed to siphon sensitive information for monetary gain. Findings also suggest that the operation isn’t tied to any political or nation-state agenda, distinguishing it from other campaigns associated with groups like Void Manticore, an Iranian threat actor previously linked to Rhadamanthys.

For organizations and individuals alike, this attack underscores the importance of vigilance in the face of increasingly realistic phishing schemes. The campaign’s reach and apparent success in bypassing traditional cybersecurity measures indicate that similar AI-assisted attacks are likely to grow more common.

Protecting Yourself Against CopyRh(ight)adamantys

To guard against the CopyRh(ight)adamantys threat, consider the following cybersecurity best practices:

• Verify Emails Carefully: Be cautious of emails that claim legal or copyright issues, especially if they contain downloadable files or links to external sites. DO NOT CLICK THE LINKS.
• Avoid Opening Unknown Attachments: Legitimate companies rarely send password-protected files without prior communication. When in doubt, contact the company directly.
• Implement Email Security Tools: Organizations should deploy email filtering systems that can detect and block phishing attempts, especially those from newly created Gmail accounts.
• Educate Employees: Regular training on phishing and cybersecurity practices with employees is essential to prevent accidental malware installations within companies.

Conclusion

The CopyRh(ight)adamantys campaign illustrates the ongoing evolution of phishing tactics, with AI and automation playing a growing role in scaling attacks and personalizing lures. As cybercriminals become more adept at exploiting trust and urgency through realistic phishing messages, the need for robust cybersecurity measures becomes even more urgent. Remaining informed and cautious when going through your email is vital to protecting against these increasingly sophisticated threats.