Cyber attackers leverage copyright infringement claims to lure victims into downloading Lumma Stealer and Rhadamanthys malware, specifically targeting Taiwanese Facebook business and advertising accounts. Let’s break down how this works and what makes this attack so strategic.
Attack Overview
Since at least July 2024, this phishing attack targets Taiwanese Facebook business users by sending emails impersonating companies’ legal departments. These emails claim copyright infringement, pressuring users to download a fake PDF file allegedly containing infringement information.
This fake file, disguised as a PDF but actually an executable (.exe), bears file names in traditional Chinese like “Copyright Infringement Information” and “declare infringement,” directly aimed at traditional Chinese speakers. By impersonating known Taiwanese and Hong Kong companies, the attackers build credibility and exploit trust.
By trying to open the file, targeted users launched a loader module of Lumma Stealer, a rather new infostealer strain that emerged in early 2024. In some attack cases, it was coupled with Rhadamantys, another infostealer with similar functionality.
Phishing Mechanics
The emails warn that if users don’t remove “infringing content” within 24 hours, they could face legal actions. This urgency tactic, coupled with mentions of real company names, makes recipients feel compelled to click the links. Attackers swap out details like the company name and address to keep the email templates adaptable across different targets. Notably, this campaign even uses templates mimicking industrial and e-commerce companies, tailoring each for its target audience.
When a victim clicks the download link, it leads through a series of redirects—from Google’s Appspot.com (a hosting platform for web apps) to a short URL service and then to Dropbox, where the malware is hosted. This multi-step redirection, common in advanced phishing attacks, complicates detection by security systems, masking the final malicious download location. The malware file is password-protected, with a hidden EPS (Encapsulated PostScript) file inside, which loads once decrypted. This EPS file connects to Command-and-Control (C2) domains, signaling an ongoing campaign based on DNS records observed during analysis.
Types of Malware Used
Payloads delivered by the malicious pdf.exe files include two infostealers, LummaC2 and Rhadamanthys, known for their sophistication in stealing data. They are widely distributed on underground forums and target sensitive information like credentials, system data, cryptocurrency wallets, and browser-stored data. Let’s have a closer look at each one
LummaC2 Infostealer
This malware, written in C, steals information through obfuscation techniques to evade detection. When activated, it uses API functions like CreateFileMappingA and VirtualAllocate to inject its code directly into memory, bypassing standard file-based detection. We have an advanced post dedicated to this threat – go check it out.
But overall, this threat is currently a pinnacle of infostealer viruses, as it includes all the latest trends in malware development. Aside from this, malware masters also appear quite inventive in terms of spreading campaigns. They initially used YouTube promotions and Google Search ads as spreading channels, and did not stop seeking more and more unpredictable angles on unsuspecting users.
Rhadamanthys Infostealer
Emerging in 2022, this stealer targets extensive system data while utilizing the .rsrc section in its binary (typically reserved for icons and menus) to conceal malicious code. The loader modifies the registry to ensure that it executes every time the system starts, adding a layer of persistence. It even increases the file size to evade detection based on file signatures, a common antivirus defense technique.
The Rhadamanthys loader further complicates detection by injecting code into legitimate processes, such as “%Systemroot%\system32\dialer.exe”, making it appear as if a harmless system process is running. Mutex objects are employed to ensure only one instance of the malware is active, another common evasion method.