Linux Admins Beware! Fake PuTTY Client that Installs Rhadamanthys stealer

A malvertising campaign has been discovered deploying a fake PuTTY client to deliver the Rhadamanthys stealer, a dangerous malware.

This campaign cleverly exploits the trust in the widely used SSH and Telnet client, PuTTY, by presenting a counterfeit website through malicious ads at the top of Google search results.

This article delves into the mechanics of this attack, the role of malware loaders, and the subsequent deployment of the Rhadamanthys stealer, underscoring the need for heightened vigilance among Linux administrators.

Malware Loader

Malware loaders, also known as droppers or downloaders, play a pivotal role in the cybercriminal ecosystem.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, which helps you to quantify risk accurately:

Their primary function is infiltrating a machine and deploying additional payloads while evading detection.

A sophisticated loader delivers malware and ensures the victim is legitimate, maximizing the attack’s impact.

The loader discussed in this campaign is particularly noteworthy for its use of the Go programming language and an innovative technique to deploy the Rhadamanthys stealer.

Malwarebytes has reported that the latest version of Go loader is being used to deliver the Rhadamanthys stealer malware.

This new variant is being actively distributed and poses a significant threat to organizations and individuals. 

The Malvertising Campaign

The campaign begins with a malicious ad that masquerades as PuTTY’s homepage.

malicious ads

This ad, cunningly placed above the official site in Google search results, directs unsuspecting users to a domain controlled by the attackers.

The domain, arnaudpairoto[.]com, is a red flag due to its irrelevance to PuTTY, highlighting the importance of scrutinizing domain names in ads.

Crawler, sandbox, or scanner, will see this half-finished blog

Fake PuTTY AdVictims from the US are redirected to a counterfeit site that mirrors putty.org, with the critical difference being the download link.

A big difference though is the download link

This link initiates a two-step redirection process, ultimately leading to downloading a malicious PuTTY executable from the astrosphere[.]world.

puttyconnect[.]info/1.php
HTTP/1.1 302 Found
Location: astrosphere[.]world/onserver3.php
astrosphere[.]world/onserver3.php
HTTP/1.1 200 OK
Server: nginx/1.24.0
Content-Type: application/octet-stream
Content-Length: 13198274
Connection: keep-alive
Content-Description: File Transfer
Content-Disposition: attachment; filename="PuTTy.exe"

This server performs checks for proxies and logs the victim’s IP address, setting the stage for the delivery of the Rhadamanthys stealer.

Cybertron Technologies has recently tweeted about a malvertising campaign that leverages the Go Loader to deploy the Rhadamanthys Stealer.

The Rhadamanthys Stealer: The Final Payload

Upon execution, the fake PuTTY client, dubbed “Dropper 1.3” by its author, verifies the victim’s IP address to ensure the malware was downloaded through the deceptive ad.

The dropper proceeds to retrieve a follow-up payload from another server

Successful verification triggers the retrieval of the Rhadamanthys stealer from another server, utilizing the SSHv2 protocol for a covert download.

Rhadamanthys Stealer DeploymentThe Rhadamanthys stealer, once executed, poses a significant threat by stealing sensitive information from the compromised system.

This highlights the critical nature of the loader-malvertising combo, in which the threat actor meticulously manages the entire deployment process, from ad to loader to final payload.

The discovery of this malvertising campaign serves as a stark reminder of the constant vigilance required in the digital age.

System administrators, in particular, must be wary of seemingly legitimate tools and websites as cybercriminals continue to find innovative ways to breach defenses.

IOC

Decoy ad domain

arnaudpairoto[.]com

Fake site

puttyconnect[.]info

PuTTY

astrosphere[.]world0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d

IP check

zodiacrealm[.]info

Rhadamanthys

192.121.16[.]228:22
bea1d58d168b267c27b1028b47bd6ad19e249630abb7c03cfffede8568749203

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

1 day ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago