Priya Patel
TLDR:
- A fake PuTTY client named “Rhadamanthys Stealer” is targeting Linux admins via malicious advertisements impersonating the legitimate software.
- The threat actor uses a multi-staged infection chain to distribute malware payloads, potentially compromising systems.
Cybersecurity researchers at Malwarebytes Labs have issued a warning to Linux admins regarding a fake PuTTY client known as “Rhadamanthys” Stealer. PuTTY, a popular tool for remote server access, has become a prime target for hackers due to its widespread use and potential vulnerabilities that can be exploited for data breaches and code execution on targeted machines. In this case, hackers have launched a deceptive ad campaign impersonating the PuTTY homepage to distribute malware loaders and additional payloads.
The malicious ad falsely claims to be from the PuTTY homepage, directing potential victims to a fake site that may deliver a final malware payload. The attackers use sophisticated techniques, including a multi-staged redirection chain and the use of a Go-based dropper, to hide their malicious activities and evade detection. By utilizing the SSH protocol and IP verification, they can determine and target potential victims, ensuring that additional payloads are not sent to researchers or honeypots.
The complexity of this campaign’s payload delivery scheme highlights the evolving tactics of threat actors to spread malware without detection. Although this particular campaign has been reported to Google, it underscores the importance of proactive defense mechanisms such as strong malware detection and ad-blocking to counter such stealthy malware distribution schemes. By staying updated on IoCs and employing effective cybersecurity tools, organizations can protect themselves against malicious attacks like the Rhadamanthys Stealer.
