{"id":169253,"date":"2024-10-02T13:42:02","date_gmt":"2024-10-02T13:42:02","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=169253"},"modified":"2024-10-02T13:42:04","modified_gmt":"2024-10-02T13:42:04","slug":"rhadamanthys-information-stealer-uses-ai","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/169253\/malware\/rhadamanthys-information-stealer-uses-ai.html","title":{"rendered":"Rhadamanthys information stealer introduces AI-driven capabilities"},"content":{"rendered":"
<\/div>\n

The Rhadamanthys information stealer has been upgraded with advanced features, including the use of artificial intelligence (AI) for optical character recognition (OCR).<\/h2>\n\n\n\n

Researchers at the Recorded Future’s Insikt group have documented the evolution of the Rhadamanthys info stealer<\/a>. The malware was first identified in 2022, and since then it has been upgraded with advanced features, the latest version 0.7.0 introduces AI-driven capabilities for extracting cryptocurrency seed phrases from images. <\/p>\n\n\n\n

The infostealer can steal credentials, system information, and financial data from infected systems, it supports sophisticated evasion techniques, including MSI installer disguise. Threat actors offer the malware for sale on underground forums, however, they ban customers from targeting specific regions. <\/gwmw><\/p>\n\n\n\n

The latest version of the Rhadamanthys information stealer uses artificial intelligence (AI) for optical character recognition (OCR) to support “Seed Phrase Image Recognition.”<\/p>\n\n\n\n

“This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in cryptocurrencies.” reads the report<\/strong><\/a> published by Recorded Future’s Insikt Group. “The malware can recognize seed phrase images on the client side and send them back to the command-and-control (C2) server for further exploitation.”<\/gwmw><\/p>\n\n\n\n

The malware is developed by a threat actor known as \u201ckingcrete2022\u02ee that advertises the info stealer on multiple hacking forums, including XSS, Exploit, Best Dark, Opencard, and Center-Club. The malware allows operators to harvest a broad range of information, including system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data stored in various applications.<\/p>\n\n\n\n

The subscription fee is $250 per month, or $550 for 90 days.<\/p>\n\n\n\n

Version 0.6.0 was released in February 2024, while latest version 0.7.0 of Rhadamanthys was released in June 2024.<\/gwmw><\/p>\n\n\n\n

“Version0.7.0, the most recent version, includes a complete rewrite of both client-side and server-side frameworks, improving the program’s execution stability. Additionally, 30 wallet-cracking algorithms, AI-powered graphics, and PDF recognition for phrase extraction were added. The text extraction capability was enhanced to identify multiple saved phrases.” reads the report. “Bugs and issues from the previous version were resolved. The Telegram module was rewritten to support HTML formatting and multi-token polling, while the synchronization module now includes file transfer protocol (FTP) support for remote log transfers. The search filter module has been rewritten, and an application programming interface (API) interface with an open platform has been introduced.”<\/em><\/gwmw><\/p>\n\n\n\n

<\/p>\n\n\n\n

The Rhadamanthys malware infection chain remains unchanged across the various versions. The three stages composing the attack chain:<\/p>\n\n\n\n