Unpacking EncryptHub: Windows Zero-Day Exploitation for Rhadamanthys and StealC Malware Deployment

” said one senior cybersecurity researcher.

Body:

Cybersecurity professionals have detected a new campaign by the cybercriminal group EncryptHub that exploits a specific Windows zero-day vulnerability to deploy Rhadamanthys and StealC malware.

The exploitation manipulates the Windows Management Instrumentation Command-line (WMIC) by using .msc files and the Multilingual User Interface Path (MUIPath).

The threat actors primarily aim to compromise various sensitive user data.

Once the Windows zero-day is exploited, EncryptHub deploys a sophisticated multi-staged attack.

First, it installs the Rhadamanthys backdoor Trojan, granting the threat actor full access and control over the victim’s system.

The backdoor provides a portal for the secondary payload, the StealC malware.

As a powerful information stealer, StealC is designed to extract essential data such as login passwords, credit card details, and other valuable personal information.

Technical Analysis

The exploit starts by delivering a .msc file that carries a malicious DLL.

When opened, the .msc file calls the DLL using the MUIPath vulnerability.

A call-back is initiated to the C&C server, and it responds with an encoded payload.

This payload contains the Rhadamanthys(sometimes leveraging XOR encoding) that persistently executes on successful deployment.

Once Rhadamanthys is installed, it opens the gates for StealC, providing the ability to mine vital information such as saved passwords, internet browsing history, e-payment information, and more.

Mitigations

The zero-day is already patched in the Microsoft’s recent update CVE-2021-40444.

It is advised that all Windows users immediately apply this security patch to diminish vulnerability to the exploit.

Cybersecurity professionals also recommend maintaining robust and updated security software.

Regular investment in cybersecurity training can further enhance a user’s natural vigilance against phishing attempts and suspicious links.

Conclusions

The use of Windows’ zero-day flaws shows the need for constant vigilance and timely updates in the digital ecosystem.

It is a strong reminder to each organization about maintaining robust security posture.

Despite the rapid response of Microsoft in patching the vulnerability, this incident underlines the unending cat-and-mouse game between cybersecurity professionals and threat actors in cyber warfare.

Follow-Up Reading:

Infosecurity Magazine – Latest Cybersecurity News

Dark Reading – Cybersecurity Threat News

Krebs on Security – In-depth security news and investigation