research.checkpoint.com
Open in
urlscan Pro
141.193.213.21
Public Scan
Submitted URL: https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/#new_tab
Effective URL: https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/
Submission: On November 08 via api from IN — Scanned from US
Effective URL: https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/
Submission: On November 08 via api from IN — Scanned from US
Form analysis 1 forms found in the DOM
POST /2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/#wpcf7-f26727-o1
<form action="/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/#wpcf7-f26727-o1" method="post" class="wpcf7-form demo resetting" aria-label="Contact form" novalidate="novalidate" data-status="resetting">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="26727">
<input type="hidden" name="_wpcf7_version" value="6.0">
<input type="hidden" name="_wpcf7_locale" value="en_US">
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f26727-o1">
<input type="hidden" name="_wpcf7_container_post" value="0">
<input type="hidden" name="_wpcf7_posted_data_hash" value="">
</div>
<div class="contact-form-outer">
<div class="flex-row">
<div class="flex-12">
<div class="col-margin">
<p><label>First Name<span class="wpcf7-form-control-wrap" data-name="your-first-name"><input size="40" maxlength="400" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required form-control" aria-required="true" aria-invalid="false"
value="" type="text" name="your-first-name"></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<p><label>Last Name<span class="wpcf7-form-control-wrap" data-name="your-last-name"><input size="40" maxlength="400" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required form-control" aria-required="true" aria-invalid="false"
value="" type="text" name="your-last-name"></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<p><label>Country<span class="wpcf7-form-control-wrap" data-name="country"><select class="wpcf7-form-control wpcf7-select classform-control" aria-invalid="false" name="country">
<option value="">—Please choose an option—</option>
<option value="China">China</option>
<option value="India">India</option>
<option value="United States">United States</option>
<option value="Indonesia">Indonesia</option>
<option value="Brazil">Brazil</option>
<option value="Pakistan">Pakistan</option>
<option value="Nigeria">Nigeria</option>
<option value="Bangladesh">Bangladesh</option>
<option value="Russia">Russia</option>
<option value="Japan">Japan</option>
<option value="Mexico">Mexico</option>
<option value="Philippines">Philippines</option>
<option value="Vietnam">Vietnam</option>
<option value="Ethiopia">Ethiopia</option>
<option value="Egypt">Egypt</option>
<option value="Germany">Germany</option>
<option value="Iran">Iran</option>
<option value="Turkey">Turkey</option>
<option value="Democratic Republic of the Congo">Democratic Republic of the Congo</option>
<option value="Thailand">Thailand</option>
<option value="France">France</option>
<option value="United Kingdom">United Kingdom</option>
<option value="Italy">Italy</option>
<option value="Burma">Burma</option>
<option value="South Africa">South Africa</option>
<option value="South Korea">South Korea</option>
<option value="Colombia">Colombia</option>
<option value="Spain">Spain</option>
<option value="Ukraine">Ukraine</option>
<option value="Tanzania">Tanzania</option>
<option value="Kenya">Kenya</option>
<option value="Argentina">Argentina</option>
<option value="Algeria">Algeria</option>
<option value="Poland">Poland</option>
<option value="Sudan">Sudan</option>
<option value="Uganda">Uganda</option>
<option value="Canada">Canada</option>
<option value="Iraq">Iraq</option>
<option value="Morocco">Morocco</option>
<option value="Peru">Peru</option>
<option value="Uzbekistan">Uzbekistan</option>
<option value="Saudi Arabia">Saudi Arabia</option>
<option value="Malaysia">Malaysia</option>
<option value="Venezuela">Venezuela</option>
<option value="Nepal">Nepal</option>
<option value="Afghanistan">Afghanistan</option>
<option value="Yemen">Yemen</option>
<option value="North Korea">North Korea</option>
<option value="Ghana">Ghana</option>
<option value="Mozambique">Mozambique</option>
<option value="Taiwan">Taiwan</option>
<option value="Australia">Australia</option>
<option value="Ivory Coast">Ivory Coast</option>
<option value="Syria">Syria</option>
<option value="Madagascar">Madagascar</option>
<option value="Angola">Angola</option>
<option value="Cameroon">Cameroon</option>
<option value="Sri Lanka">Sri Lanka</option>
<option value="Romania">Romania</option>
<option value="Burkina Faso">Burkina Faso</option>
<option value="Niger">Niger</option>
<option value="Kazakhstan">Kazakhstan</option>
<option value="Netherlands">Netherlands</option>
<option value="Chile">Chile</option>
<option value="Malawi">Malawi</option>
<option value="Ecuador">Ecuador</option>
<option value="Guatemala">Guatemala</option>
<option value="Mali">Mali</option>
<option value="Cambodia">Cambodia</option>
<option value="Senegal">Senegal</option>
<option value="Zambia">Zambia</option>
<option value="Zimbabwe">Zimbabwe</option>
<option value="Chad">Chad</option>
<option value="South Sudan">South Sudan</option>
<option value="Belgium">Belgium</option>
<option value="Cuba">Cuba</option>
<option value="Tunisia">Tunisia</option>
<option value="Guinea">Guinea</option>
<option value="Greece">Greece</option>
<option value="Portugal">Portugal</option>
<option value="Rwanda">Rwanda</option>
<option value="Czech Republic">Czech Republic</option>
<option value="Somalia">Somalia</option>
<option value="Haiti">Haiti</option>
<option value="Benin">Benin</option>
<option value="Burundi">Burundi</option>
<option value="Bolivia">Bolivia</option>
<option value="Hungary">Hungary</option>
<option value="Sweden">Sweden</option>
<option value="Belarus">Belarus</option>
<option value="Dominican Republic">Dominican Republic</option>
<option value="Azerbaijan">Azerbaijan</option>
<option value="Honduras">Honduras</option>
<option value="Austria">Austria</option>
<option value="United Arab Emirates">United Arab Emirates</option>
<option value="Israel">Israel</option>
<option value="Switzerland">Switzerland</option>
<option value="Tajikistan">Tajikistan</option>
<option value="Bulgaria">Bulgaria</option>
<option value="Hong Kong (China)">Hong Kong (China)</option>
<option value="Serbia">Serbia</option>
<option value="Papua New Guinea">Papua New Guinea</option>
<option value="Paraguay">Paraguay</option>
<option value="Laos">Laos</option>
<option value="Jordan">Jordan</option>
<option value="El Salvador">El Salvador</option>
<option value="Eritrea">Eritrea</option>
<option value="Libya">Libya</option>
<option value="Togo">Togo</option>
<option value="Sierra Leone">Sierra Leone</option>
<option value="Nicaragua">Nicaragua</option>
<option value="Kyrgyzstan">Kyrgyzstan</option>
<option value="Denmark">Denmark</option>
<option value="Finland">Finland</option>
<option value="Slovakia">Slovakia</option>
<option value="Singapore">Singapore</option>
<option value="Turkmenistan">Turkmenistan</option>
<option value="Norway">Norway</option>
<option value="Lebanon">Lebanon</option>
<option value="Costa Rica">Costa Rica</option>
<option value="Central African Republic">Central African Republic</option>
<option value="Ireland">Ireland</option>
<option value="Georgia">Georgia</option>
<option value="New Zealand">New Zealand</option>
<option value="Republic of the Congo">Republic of the Congo</option>
<option value="Palestine">Palestine</option>
<option value="Liberia">Liberia</option>
<option value="Croatia">Croatia</option>
<option value="Oman">Oman</option>
<option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option>
<option value="Puerto Rico">Puerto Rico</option>
<option value="Kuwait">Kuwait</option>
<option value="Moldov">Moldov</option>
<option value="Mauritania">Mauritania</option>
<option value="Panama">Panama</option>
<option value="Uruguay">Uruguay</option>
<option value="Armenia">Armenia</option>
<option value="Lithuania">Lithuania</option>
<option value="Albania">Albania</option>
<option value="Mongolia">Mongolia</option>
<option value="Jamaica">Jamaica</option>
<option value="Namibia">Namibia</option>
<option value="Lesotho">Lesotho</option>
<option value="Qatar">Qatar</option>
<option value="Macedonia">Macedonia</option>
<option value="Slovenia">Slovenia</option>
<option value="Botswana">Botswana</option>
<option value="Latvia">Latvia</option>
<option value="Gambia">Gambia</option>
<option value="Kosovo">Kosovo</option>
<option value="Guinea-Bissau">Guinea-Bissau</option>
<option value="Gabon">Gabon</option>
<option value="Equatorial Guinea">Equatorial Guinea</option>
<option value="Trinidad and Tobago">Trinidad and Tobago</option>
<option value="Estonia">Estonia</option>
<option value="Mauritius">Mauritius</option>
<option value="Swaziland">Swaziland</option>
<option value="Bahrain">Bahrain</option>
<option value="Timor-Leste">Timor-Leste</option>
<option value="Djibouti">Djibouti</option>
<option value="Cyprus">Cyprus</option>
<option value="Fiji">Fiji</option>
<option value="Reunion (France)">Reunion (France)</option>
<option value="Guyana">Guyana</option>
<option value="Comoros">Comoros</option>
<option value="Bhutan">Bhutan</option>
<option value="Montenegro">Montenegro</option>
<option value="Macau (China)">Macau (China)</option>
<option value="Solomon Islands">Solomon Islands</option>
<option value="Western Sahara">Western Sahara</option>
<option value="Luxembourg">Luxembourg</option>
<option value="Suriname">Suriname</option>
<option value="Cape Verde">Cape Verde</option>
<option value="Malta">Malta</option>
<option value="Guadeloupe (France)">Guadeloupe (France)</option>
<option value="Martinique (France)">Martinique (France)</option>
<option value="Brunei">Brunei</option>
<option value="Bahamas">Bahamas</option>
<option value="Iceland">Iceland</option>
<option value="Maldives">Maldives</option>
<option value="Belize">Belize</option>
<option value="Barbados">Barbados</option>
<option value="French Polynesia (France)">French Polynesia (France)</option>
<option value="Vanuatu">Vanuatu</option>
<option value="New Caledonia (France)">New Caledonia (France)</option>
<option value="French Guiana (France)">French Guiana (France)</option>
<option value="Mayotte (France)">Mayotte (France)</option>
<option value="Samoa">Samoa</option>
<option value="Sao Tom and Principe">Sao Tom and Principe</option>
<option value="Saint Lucia">Saint Lucia</option>
<option value="Guam (USA)">Guam (USA)</option>
<option value="Curacao (Netherlands)">Curacao (Netherlands)</option>
<option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option>
<option value="Kiribati">Kiribati</option>
<option value="United States Virgin Islands (USA)">United States Virgin Islands (USA)</option>
<option value="Grenada">Grenada</option>
<option value="Tonga">Tonga</option>
<option value="Aruba (Netherlands)">Aruba (Netherlands)</option>
<option value="Federated States of Micronesia">Federated States of Micronesia</option>
<option value="Jersey (UK)">Jersey (UK)</option>
<option value="Seychelles">Seychelles</option>
<option value="Antigua and Barbuda">Antigua and Barbuda</option>
<option value="Isle of Man (UK)">Isle of Man (UK)</option>
<option value="Andorra">Andorra</option>
<option value="Dominica">Dominica</option>
<option value="Bermuda (UK)">Bermuda (UK)</option>
<option value="Guernsey (UK)">Guernsey (UK)</option>
<option value="Greenland (Denmark)">Greenland (Denmark)</option>
<option value="Marshall Islands">Marshall Islands</option>
<option value="American Samoa (USA)">American Samoa (USA)</option>
<option value="Cayman Islands (UK)">Cayman Islands (UK)</option>
<option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option>
<option value="Northern Mariana Islands (USA)">Northern Mariana Islands (USA)</option>
<option value="Faroe Islands (Denmark)">Faroe Islands (Denmark)</option>
<option value="Sint Maarten (Netherlands)">Sint Maarten (Netherlands)</option>
<option value="Saint Martin (France)">Saint Martin (France)</option>
<option value="Liechtenstein">Liechtenstein</option>
<option value="Monaco">Monaco</option>
<option value="San Marino">San Marino</option>
<option value="Turks and Caicos Islands (UK)">Turks and Caicos Islands (UK)</option>
<option value="Gibraltar (UK)">Gibraltar (UK)</option>
<option value="British Virgin Islands (UK)">British Virgin Islands (UK)</option>
<option value="Aland Islands (Finland)">Aland Islands (Finland)</option>
<option value="Caribbean Netherlands (Netherlands)">Caribbean Netherlands (Netherlands)</option>
<option value="Palau">Palau</option>
<option value="Cook Islands (NZ)">Cook Islands (NZ)</option>
<option value="Anguilla (UK)">Anguilla (UK)</option>
<option value="Wallis and Futuna (France)">Wallis and Futuna (France)</option>
<option value="Tuvalu">Tuvalu</option>
<option value="Nauru">Nauru</option>
<option value="Saint Barthelemy (France)">Saint Barthelemy (France)</option>
<option value="Saint Pierre and Miquelon (France)">Saint Pierre and Miquelon (France)</option>
<option value="Montserrat (UK)">Montserrat (UK)</option>
<option value="Saint Helena, Ascension and Tristan da Cunha (UK)">Saint Helena, Ascension and Tristan da Cunha (UK)</option>
<option value="Svalbard and Jan Mayen (Norway)">Svalbard and Jan Mayen (Norway)</option>
<option value="Falkland Islands (UK)">Falkland Islands (UK)</option>
<option value="Norfolk Island (Australia)">Norfolk Island (Australia)</option>
<option value="Christmas Island (Australia)">Christmas Island (Australia)</option>
<option value="Niue (NZ)">Niue (NZ)</option>
<option value="Tokelau (NZ)">Tokelau (NZ)</option>
<option value="Vatican City">Vatican City</option>
<option value="Cocos (Keeling) Islands (Australia)">Cocos (Keeling) Islands (Australia)</option>
<option value="Pitcairn Islands (UK)">Pitcairn Islands (UK)</option>
</select></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<p><label>Email<span class="wpcf7-form-control-wrap" data-name="your-email"><input size="40" maxlength="400" class="wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email form-control"
aria-required="true" aria-invalid="false" value="" type="email" name="your-email"></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<div class="button-wrap center relative">
<p><input class="wpcf7-form-control wpcf7-submit has-spinner button font-white" type="submit" value="SUBMIT"><span class="wpcf7-spinner"></span>
</p>
</div>
</div>
</div>
</div>
</div>
<div class="wpcf7-response-output" aria-hidden="true"></div>
</form>Text Content
* CONTACT US
* DISCLOSURE POLICY
* CHECKPOINT.COM
* UNDER ATTACK?
* Latest Publications
* CPR Podcast Channel
* Web 3.0 Security
* Intelligence Reports
* Resources
* ThreatCloud AI
* Threat Intelligence & Research
* Zero Day Protection
* Sandblast File Analysis
* About Us
* SUBSCRIBE
SUBSCRIBE
CATEGORIES
* Android Malware 23
* Artificial Intelligence 4
* ChatGPT 3
* Check Point Research Publications 390
* Cloud Security 1
* CPRadio 44
* Crypto 2
* Data & Threat Intelligence 1
* Data Analysis 0
* Demos 22
* Global Cyber Attack Reports 328
* How To Guides 12
* Ransomware 1
* Russo-Ukrainian War 1
* Security Report 1
* Threat and data analysis 0
* Threat Research 172
* Web 3.0 Security 9
* Wipers 0
COPYRH(IGHT)ADAMANTYS CAMPAIGN: RHADAMANTYS EXPLOITS INTELLECTUAL PROPERTY
INFRINGEMENT BAITS
November 6, 2024
https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/
KEY FINDINGS
* Check Point Research is tracking an ongoing, large scale and sophisticated
phishing campaign deploying the newest version of the Rhadamanthys stealer
(0.7). We dubbed this campaign CopyRh(ight)adamantys.
* This campaign utilizes a copyright infringement theme to target various
regions, including the United States, Europe, East Asia, and South America.
* The campaign impersonates dozens of companies, while each email is sent to a
specific targeted entity from a different Gmail account, adapting the
impersonated company and the language per targeted entity. Almost 70% of the
impersonated companies are from Entertainment /Media and Technology/Software
sectors.
* Analysis of the lures and targets in this campaign suggests the threat actor
uses automation for lures distribution. Due to the scale of the campaign and
the variety of the lures and sender emails, there is a possibility that the
threat actor also utilized AI tools.
* One of the main updates in the Rhadamanthys stealer version according to
claims by the author, is AI-powered text recognition. However, we discovered
that the component introduced by Rhadamanthys does not incorporate any of the
modern AI engines, but instead uses much older classic machine learning,
typical for OCR software.
While we finalized this blog post, a technical analysis of this activity
was published by fellow researchers from Cisco Talos. While it overlaps with our
findings to some extent, our report provides additional extended information
about the activity.
INTRODUCTION
Since July 2024, Check Point Research (CPR) has been tracking an extensive and
ongoing phishing campaign that leads to the deployment of the Rhadamanthys
stealer. This campaign masquerades as various companies and falsely claims that
victims have committed copyright infringement related on their Facebook pages.
The phishing emails, typically sent from Gmail accounts, prompt recipients to
download an archive file, which triggers the infection through DLL side-loading.
The vulnerable binary then installs the latest version of the Rhadamanthys
stealer (version 0.7), which includes new capabilities such as an alleged
AI-powered OCR (optical character recognition) module.
In this report, we share our ongoing efforts to study the use of the
Rhadamanthys stealer, which both cybercriminals and state-sponsored actors have
adopted. We provide an in-depth examination of the phishing campaign, the
tactics used by the attackers, and the updates introduced in this latest version
of Rhadamanthys.
BACKGROUND
Throughout 2024, we have been monitoring threat actors’ activities leveraging
the Rhadamanthys stealer, including its use by Void Manticore, an Iranian actor
operating in Israel and Albania. In one campaign tied to Handala, a persona
linked to Void Manticore, the Rhadamanthys stealer was distributed under the
guise of a F5 update. This marked their first use of the stealer, which they
continued to deploy in subsequent campaigns impersonating Israeli and
international companies.
Simultaneously, Check Point Software Technologies began receiving reports of
phishing lures mimicking Check Point- branded emails leading to the deployment
of Rhadamanthys. Given Handala’s previous interest in Check Point and threats
they published in their Telegram channel, our initial assumption was that they
were also behind this campaign. However, further analysis revealed this was
merely a coincidence and the Check Point lures were part of a larger, distinct
cybercrime-oriented cluster, which we explore in detail.
COPYRH(IGHT)ADAMANTYS EMAILS
The newly identified cluster is characterized by spear-phishing emails sent from
Gmail accounts allegedly from well-known companies claiming supposed copyright
violations. These emails, which appear to come from the legal representatives of
the impersonated companies, accuse the recipient of misusing their brand on the
target’s social media page and requesting the removal of specific images and
videos.
The removal instructions are said to be in a password-protected file. However,
the attached file is a download link to appspot.com, linked to the Gmail
account, which redirects the user to Dropbox or Discord to download a
password-protected archive (with the password provided in the email).
Figure 2 – Malicious ZIP download link.
We observed hundreds of emails impersonating dozens of companies, each sent to a
specific address from a different Gmail account. Almost 70% of the impersonated
companies are from Entertainment /Media and Technology/Software sectors. This is
possibly due to the fact that those sectors have a high online presence and are
more likely to send such requests than other sectors. These high profile sectors
also have frequent copyright-related communications, making such phishing
attempts appear more credible.
The attackers likely used an automated tool, possibly with AI integration, to
generate both the emails and the accounts. While most emails are written in the
recipient’s local language or English, occasional errors occur. For example, one
email intended for an Israeli target was written in Korean instead of Hebrew,
with only the target’s name correctly localized.
Figure 3 – Phishing email written in Korean mistakenly sent to a target in
Israel.
INFECTION CHAIN
Figure 4 – Copyright campaign infection chain.
As we stated, the infection begins with a spear-phishing email containing a link
to download a password-protected archive. This archive typically includes three
files: a legitimate executable, a DLL (which contains the packed Rhadamanthys),
and a decoy Adobe ESPS or PDF file. When the executable is run, it utilizes DLL
sideloading to load the malicious DLL, which subsequently unpacks and loads the
Rhadamanthys components.
The legitimate executables and the names given to the DLL for sideloading:
Legitimate Executable (Often renamed)Sideloaded
DLLLauncher.exemsimg32.dllAcroLicApp.exemsimg32.dllAdobeARM.exeSensApi.dll
Once active, the stealer writes a significantly larger copy of the DLL into
the Documents folder, masquerading as a Firefox-related component
(FirefoxData.dll). It also creates a registry key for persistence:
Figure 5 – Registry key added for persistence.
The only difference between the dropped DLL and the one from the initial package
is an appended empty overlay. This is a simple trick intended to evade
hash-based detection, as the random padding changes the original hash of the
executable. Sometimes, the enlarged size of the file may also cross the
acceptable file size threshold defined by a particular antivirus engine, and as
a result, the file is not scanned.
As the Rhadamanthys modules are loaded, they are injected into one of the
following processes from the system32 directory:
* credwiz.exe
* OOBE-Maintenance.exe
* openwith.exe
* dllhost.exe
* rundll32.exe
The process of loading Rhadamanthys modules and their general flow did not
change much since the last version, 0.5.0, that we described in detail in our
previous report. The initial Rhadamanthys executable has a hardcoded package
from which Stage 2 is unpacked.
The role of Stage 2 is to run extensive evasion checks on the compromised
machine, connect to the Command-and-Control server (C2), and download the next
package which contains Stage 3. Stage 3, shipped steganographically in a WAV
file, is a rich set of stealer modules that attack various targets. We described
most of these modules in our previous article.
A complete list of Rhadamanthys Stages 2 and 3 is available in Appendix A.
TARGETS
The campaign’s targets are distributed across a wide geographic area, including
the US, Europe, the Middle East, East Asia, and South America. However, it’s
important to note that our target observations are limited by our customers’
that were targeted by this campaign. We believe this is part of a much larger
campaign, with likely many more countries affected than we’ve seen.
Figure 6 – Map of targeted countries according to Check Point’s telemetry.
ATTRIBUTION
Although Rhadamanthys was previously linked to nation-state threat actors like
those from Russia or Iran, we assess that this campaign is more likely the work
of a cybercrime group rather than a state-sponsored operation for the following
reasons:
* Unlike nation-state actors, who typically target high-value assets such as
government agencies or critical infrastructure, this campaign displays no
such selectivity. Instead, it targets a diverse range of organizations with
no clear strategic connections, reinforcing the conclusion that financial
motives drive the attackers.
* The infrastructure used, such as creating different Gmail accounts for each
phishing attempt, indicates the possible use of automation tools possibly
powered by AI. This level of operational efficiency, along with the
indiscriminate targeting of multiple regions and sectors, points to a
cybercrime group seeking to maximize financial returns by casting a wide net.
RHADAMANTHYS 0.7
While working on this report, Recorded Future, a cyber security company,released
a comprehensive analysis of Rhadamantys 0.7.The Rhadamanthys version used in
this campaign, identified as 0.7, is the latest release at the time of this
writing. It was introduced by the developer of the malware a few months ago in
the following announcement:
Figure 7 – Source: https://x.com/g0njxa/status/1812902577530454023
The author stated that text recognition is implemented with AI. As AI is
currently a hot topic, this may help promote the product and show that it uses
cutting-edge technology. However, as we found out, the component introduced by
Rhadamanthys does not incorporate any of the modern AI engines but instead uses
much older classic machine learning, typical for OCR software.
In this latest release, the author announced many improvements. Some of the
existing components were polished and modified. Only one new executable, the OCR
component, was added.
THE OCR MODULE
In the package downloaded from the C2, we find the following:
* ImgDat (full path in Rhadamanthys Filesystem: /bin/amd64/imgdat.bin ) – An
executable in XS2 format.
* bip39.txt (/etc/bip39.txt) – A small dictionary.
The ImgDat is the OCR module that the author mentioned in the
announcement: “Added AI graphics and PDF recognition to extract phases”. The
newly added text file bip39.txt is its configuration and contains a dictionary
of search phrases that will be checked against the extracted text.
The name Bip39 suggests that it is related to the Bitcoin Improvement Proposal
39, which states how to create phrases out of numbers to make wallet protection
codes easier for humans to remember. According to the specification, Bip39
contains a dictionary of 2048 words – just like the file we found. We compared
it with the official Bip39 wordlist and confirmed that the content is the same:
https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt
(https://www.blockplate.com/pages/bip-39-wordlist).
Based on this information, we can easily guess that the OCR module is applied to
search for documents where such phrases may be stored, and the retrieved
information will be further used in attacks on Bitcoin wallets. This set of
phrases used for text recognition suggests that the campaign is motivated by
financial gain rather than espionage purposes.
How ImgDat is deployed
The ImgDat executable is deployed by the main module of Stage 3 (coredll.bin),
which is responsible for coordinating the work of all the stage’s components. In
the ImgDat module, calling the Entry Point retrieves a list of its exported
functions that are used later.
The exported functions:
* init – Initializes the OCR component with a given configuration and returns
the context structure.
* delete – Destroys the initialized structure.
* process – Implements the main operations – image processing and text
extraction.
> Workflow:
1. The function init is called and the content of “bip39.txt” is passed to it
to initialize the component with the given list of searched phrases. They
are stored in the dedicated linked list that is a part of the context
structure.
2. The function process is fetched from ImgDat. The core module walks through
the disks of the infected machine and then calls this function on every
retrieved path.
3. The function “process” from ImgDat is called a callback from within a
filtering function. It first checks if the retrieved path contains the
extension from the hardcoded list. The supported formats from which the
module can retrieve the text:
* BMP
* JPEG
* PNG
* TIFF
* WMF
If the extension matches, the file content is read and passed to
the process function from the ImgDat module.
The OCR implementation
The image is loaded via the GDI+ interface and then preprocessed to facilitate
text recognition. First, all pixels from the image are loaded into the dedicated
buffer:
Figure 8 – Fragment of a function denoted as “read_bitmap_from_image” within the
“process” API.
The RGB components of the picture are compressed into a single byte.
The OCR functionality is implemented within the function denoted
as extract_text that is a part of the process API. When we look inside, we can
find a reference to thresholding, a well known technique commonly applied in OCR
software. Its role is to enhance the contrast to be able to distinguish the text
from the background of the image.
Figure 9 – Rhadamanthys OCR code.
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
[thresholding] image = %p , (%d , %d) (%d , %d)\n
[thresholding] image = %p , (%d , %d) (%d , %d)\n
[thresholding] image = %p , (%d , %d) (%d , %d)\n
The image is then processed using a trained local machine learning model.
Extracted sentences are stored in the dedicated structure.
Figure 10 – Example of an input image (PNG) and the phrases extracted with the
help of ImgDat.
Finally, the extracted phrases are separated into words, which are then compared
with the previously initialized token list. If there are enough matches (at
least 9 strings from the list and at least 12 strings processed),
the process function returns true.
The model has limited precision. For example, it handles only the most popular
fonts and cannot recognize handwritten text. In addition, it doesn’t do well
with text in mixed colors (especially if one line of the text is darker than the
background and another is lighter).
CONCLUSION
In this article, we analyzed a large-scale phishing campaign discovered in July
2024. This campaign used a copyright infringement theme to spread the
Rhadamanthys info stealer. This campaign employed tactics including DLL
sideloading and anti-detection techniques, making the latest version of
Rhadamanthys (0.7) more potent and more challenging to detect. We also examined
Rhadamanthys’ new OCR features.
The campaign’s widespread and indiscriminate targeting of organizations across
multiple regions suggests it was orchestrated by a financially motivated
cybercrime group rather than a nation-state actor. Its global reach, automated
phishing tactics, and diverse lures demonstrate how attackers continuously
evolve to improve their success rates.
Check Point Customers Remain Protected Against the Threats Described in this
Report.
Check Point’s Threat Emulation provides comprehensive coverage of attack
tactics, file types, and operating systems:
* InfoStealer.Wins.Rhadamanthys.ta.V
* InfoStealer.Wins.Rhadamanthys.*
Harmony Endpoint provides comprehensive endpoint protection at the highest
security level, crucial to avoid security breaches and data compromise :
* InfoStealer.Wins.Rhadamanthys.*
Harmony Email and Collaboration provides comprehensive inline protection at the
highest security level.
APPENDIX A
Stage 2 – Unpacked from the hardcoded package:
NameFormatSHA256dt.x86XS1bea558e8129fcb647e6f42c8beda4464e109dd3cd546342c0337dbd50616f991early.x86XS14fd469d08c051d6997f0471d91ccf96c173d27c8cff5bd70c3f2c5008faa786fearly.x64XS1633b0fe4f3d2bfb18d4ad648ff223fe6763397daa033e9c5d79f2cae89a6c3b2netclient.x86XS1b97dd0279e112e0591b38064f59077102ab188b07a069cb104e66e4756e2570aphexec.binXS113872271ee511aa83f3f27d5db248516652b10a079ad01f78ed734cd2a87ec77prepare.binshellcoded96ec4b08c08b81ba9075423d5e83bf330de09866066b4bdb459bcbac389a350proto.x86shellcodea905226a2486ccc158d44cf4c1728e103472825fb189e05c17d998b9f5534d63stage.x86shellcode44f3936ee158d2846664bf5cd795fd90a99441186b20b90ff241ba1b38a6a3e9strategy.x86XS1219a6387d91c4b2c8e91c8613192af950bd9c790114a238eb0e1e7c878f6e728unhook.binXS137438095a5e7be0ce12997dc23d1ff117912989d2f24beab95284f9380f65834ua.txtplain
textaeba4ece8c4bf51d9761e49fad983967e76c705a06999c556c099f39853f737cprocessex.xplain
text3ca87045da78292a6bba017138ff9ee42b4e626b64d0fee6d86a16cc3258c8c3
Stage 3 – Downloaded from the C2:
NameFormatSHA256coredll.bin
(32)XS23737501bbd4abd0844da016c0263399e3c670ae52952b30ca46c6c96cf4e318dcoredll.bin
(64)XS26012386eab453f4fb1cfb88fb5b05ba9ec71a838029ea51bcff4c0b5a2fbfad2taskcore.bin
(32)XS2c0b319bb19092fe3c193e5139fcdf599502b669143b06c676e81f46ab50fb4edtaskcore.bin
(64)XS218273fa35c54332d8763cb17a5ae92de5636f3a05c507ce18d9d6a77c3139debstubmod.bin
(32)XS2d97aa65123c26509e3fc1a9963962b7f707a50ddca44a9a12fd03e654ab5aa66stubmod.bin
(64)XS2fd9fbfa809450415e8d0d79199ec8686cb7071d6e13a5b76f0ce1b03a2a61302runtime.dllPE,
.NETa87032195e38892b351641e08c81b92a1ea888c3c74a0c7464160e86613c4476loader.dllPE,
.NET3d010e3fce1b2c9ab5b8cc125be812e63b661ddcbde40509a49118c2330ef9d0KeePassHax.dllPE,
.NETfcb00beaa88f7827999856ba12302086cadbc1252261d64379172f2927a6760eimgdat.bin
(32)XS22625d99af56c79de32f9fba2332f63eb9c88707e9ea83985bce5df9022ced99aimgdat.bin
(64)XS2ffb264a19af7c8a8dd5357b62c45fcd3063ca946aa2710740c4e8b21f8e697d9bip39.txtplain
text24ce42c2fd4a95c1b86bbee9bce1e1cf255bd0022e19bab6bd591afd68b7efdbLua
extensionsLUA code–
IOCS
C2:
* 198.135.48.191
* 139.99.17.158
* 103.68.109.208
* 95.169.204.214
* 15.235.138.155
* 15.235.176.166
Archives:
* d285677cba6acf848aa4869df74af959f60ef1bc1271b4032000fcdd44f407f2
* 2be6ad454fa9e87f78dea80d2855f1c14df81a881093a1a0d57f348377f477a8
* 9ef9c88cef51ee0fb77ea9a78dbe60651603ef807ddb6c44d5bda95cc9026527
* e8aa9a061c6ea803faaf4c8d7a80c6886b4ee73d9a89a9dc6e87e3fecf7a6851
* b1ac4ad92045e935c132214015188d27ec4382f930d0152dfb303695b708b38d
* 00086cf4f35b6fb7f897cfa2f0d5ad9876aa9819cdc87416c798005ce901d3a1
* 05e02f0f9b8625fe3959ae1219f31b0167d787fefc0a9d152edf6524d6859590
* 0a3dfe260dd7b038ddb8911689c899541391c188aff966261e7bd9d0280d153d
* 0b9bd95d815af9ea4a59840ef6fcdc7ccfd0e239c40974334cb4cfb41df530db
* 0de8d2d3217cebd37a2fe488713d1c288ae5a63d3d3b2a3495e2e636ba6a1f89
* 10eafd75429ffadee2384acd37b0d4e7ca26b83666e6786f2acaf1b1c29c3f17
* 12b7390835f30c1bcdeddd258e49684c98133cee4a6a2ccab869785567deae4f
* 2a276ca5b2e095cdac7b24e58b3f7a67cee7db2fb5c1568e4775909265c7e914
* 2aa58fa8d71bd2b4fd1ffac16a6461191bbf6f4b2c97455ae52800cce929a0f2
* 2e0c99758432a3759b5af6f190ec5cb72a5a84c977d8883dcf041c4de003f3d3
* 324dfc7bb75f27e6fba8d67dea67a63525efbe947bf8e29ef39980c6efc1c3f6
* 3448005600ccb0ae52443a4c227a657de9cd767b389e9a1ed75ef074709981bd
* 3de252c9023bc8920d77570acdfe21813532727af3f91d59af35fa8abcd3700f
* 3ecf2838b2e07e6d329d45cde7d0162ba47fea4b94bacb24838358314daed756
* 415ee9b12002f17ca4f36bef794fdb19884e22980e21bf8a15043258624c439b
* 416f3fa48b75ab168e3373dae77cab7f4702de5158835d23a02629e8c1d20156
* 41a3edb3a8e8d5cf093cbd02791911f6ee26df39a377fceb6b101d66a7b7aff2
* 4b33219c5cadb4d741044874f6f0184d45f43891d28ad5b489716d4da21310fd
* 4bbe0f6b5488a51295b15d8144d0a1c9b41bb86384299b88ea48e88c76704f52
* 4cbcfa2a8d56976eff1e8ac0ef4d7703d0b802f227975a0cc36f3dcd3a90e73e
* 5cec33e8f47855da3c4ce1f3953d750275864714b16e08a94605bc3889867caf
* 6044e08402d1abd52991f5c6a4749ba6aa29a0587ff196edf60b38862392e855
* 623bb3f1f476c37afc309d6c0ab89e216aaedc03b8a7ec1aaec5fb5085d78a97
* 741dfdae8948f3e430a5b7b66c8fb4b8a750695b67a84a12abc0b6089e8fba31
* 7990765022c4400a45f996046971b9e6b69cca5b06f8d2adb61bc267fd362197
* 7d7a3e254b7968400a301d83fcd44a69f655386b9b95998a36113cfb2e542720
* 7dc07b8aa268485e40ab78bfbb03a367d80ebd7b2c6c74961dc6842cae7086e1
* 7e270a80cd0f04f245309e8c75cfc2cb46dc075ba01a00b30f66cb8b5deaaf3f
* 865a4f2583679f7a40357b61301d75567cf516a5b8295dc8155e6d4aa2ce244a
* 878917b6a8d241031fc330eff771f416a9fffaecab42c39d57e58ac2d8f38f11
* 970e199e40511e90d6dd5d6f3c9f3701215fd881b1273fe2617bd44444b0bee9
* 9a249dfdc2c16700bc5add2455f2ed00e47a2610b7779cc33e40aac576a2a74d
* 9abf9fb94e2529d8819a3873f2025bdd90d14e75fe4af81e489f6d0560809f9c
* 9d10835f7717c89d17886b7e59cc2dfc9133bfaa044bad5f070e1c8e1212e257
* a03d2956ff8d0ae4d96c9e6cced79b335b70eef10feb0f7202609cb8652179f6
* a064bbc4b58642ab4d7118abc55fb81db6584cbc633800ad14048e8370a95ef2
* a15d0aedc8b4e54a170b6ecc3d9a06835cc499f07b05c6ca261081ace505debf
* a72083974e886856b7d985bdc79888234c8cd9012ed39b2566851fb0d86cca50
* a8729621ca4310e8e1a7ad3e1426708f1e1954a16af420cd3ce46c501e9692ab
* a9896a8f96407a5eedda08a63dd40967f0fe0b3926e7002b6e1abc11f6ab81cc
* aa04c9307a9087455d21dfac02d7f322ab337cd5978f9161285a9c79379efecc
* b36205464ead176a473ab43ea7b5e0c2b8749b3eb9549d65609be2337dce25db
* b529c6df6164ff8badf30f942220a3126f99e3fc2c2ea1494aa3e305b3b53c1f
* b9c4c8343ba75081954b2db54940585c6c0c9bb47e053ac1b9229b4fa8fc9293
* be9c3feed5f6e81ccd375902c8c92616f77694b6cd14f69896d44dd4b1ea4990
* c5bb808a88f9e729484c05a1bc3097157bbfbd28469e502f2ebc4c6e6135df42
* c622c0f67eb5d9a90008e5e120065cd5a1a6e25c6e758e8205d377596059b8fe
* ccb539bf17d479d9707ee717d0afb03cd57e9b6f023becf1abf9cdbd88e1b06c
* cd3040c88a6fd71ed1ce8c2a5d0b13ed8e25e49835932a39891c514ef946dd29
* ce2f00f1d0e71287e746d5a3507547f355297a3e45a7c2cc0322015916a0137c
* d00d3adf81bf95ff4994dcbd2ae1305a6ee6b0edfad6eb55b87217f85645651a
* d0e3f547e3efcc9d9794774a765b9c3950955e7ad752f3e630ebd5ab9425bcdc
* d452461f3527d674de3e9b680026ceb2b02c56d6d3f7c94da3aab65c05f52c03
* d57f45096e646837dec51129222fcbe79981c595721164009aec68be09bf5dcf
* dbb4f7e6354621c316fbba7e7a15f59cf229684e16ab6d21027f310beecaf49b
* dbdeede6f39936305c4c5bd8e4f7bfccb0b823c025130e7f8fa285e80383be0f
* dc3d72f72247141efeba3c2ffd498025f68e0c4b34c9a4dc2686ffec09b6d401
* de933f7b47707f4bf8d5a4aaef8b31f5059d3b8f465bcaae3e22438466e8390b
* e6315b24e0311758da1c25daa5f2724da4f534ed7ed644cbf43f3cc64c4676a7
* e9a18755312011e30081e7ce0fcc1db3e3aec3b9f3ed3a776dd38498830a2738
* eb4e39d44ad016b8d6d1dc8dc25a9ea3d3e18df87516922fdbd995de15b68f54
* ebd167ca477af620065548a9e55567682b0750625b3e078fc4498dd5adeabdc6
* f2536e520d37512d868a418797974a5c11e67742824a5477100b7e3f5b2efbc3
* f4fcba1c9d7f4ae8e3868f901035ea1e0e9e1122a362a83afd3d111c17a97d7a
* f7eef906c7dc1ce2ffe586d4b7f316a5f5c6761b5cdbf22d892fbc87a5ee2f6f
* fe55c1d263e0ea356d86afd8b2b1cedff570568e45b8a3810e05ea482b8a9329
* fefba5ce20c71a71cfe35dd8ff06c514bf6ffde60356babf4f4bba66dd904b78
DLL:
* cf9d93951e558ed22815b34446cfa2bd2cf3d1582d8bd97912612f4d4128a64e
* 48aaa2dec95537cdf9fc471dbcbb4ff726be4a0647dbdf6300fa61858c2b0099
* 00fc4b8a4c65c06766608f3ef3f92385c8e147f5991dabe290e33dd14b39ad44
* 0ad65fd0897a6547f6febf398708ab2d423a8f8834b53136219cb490ec3ebd13
* 11ba24d023b544e28c37b6cb8afe27d06638175d7f56c2e4d4ff97bf7bd813b6
* 1a2399ecc38f3288206c75b55762d125d3d75254062a2c0d85c86e7f896736ac
* 258ffcc13dbe110bcce21b91f7f075995719791fdd3c9f55ea5934984fa4373d
* 2cbc1e8a4cb5d18a867666adbd3417bc88d48a74ae6500593959aec1a1c92d2d
* 342a5c7df2bdd040570f4b83c74366d4c96a90d6418149d432cb5e8577f2f6b1
* 3648e89e7449ea433a8b3ef0e5b605b5dc4157048c03b20dedc5e3b920fa8552
* 5418e42706bca4712ff2a3db67853eb42a2310660c51cff2f9020586cffedeb3
* 69573694d16b7ccadfa208ff976bfe1b3e36837aba3e5dc4dfc80e66341ef61e
* 6de4f65b1d738d84f8e825613092bbd360194195fe8a1c986e12a9bb704217c1
* 751f149665f87dd20cc8dff743f28e5da1ff2a5f04874d4b8569b9afceeedfec
* 78200cd816acbd39b6664c6582e06500f6d46085b62b49d2f914bea5a004197a
* 783c7f4bf23072343f6247ee14e54e4af0b147553ad1ef42b4e7fb44386d667c
* 7f99e506c17676b98dcc08e6a19f100ef933cde3e0423c6d4072f6802a9196bb
* 8d0b1174cbda6b102bb98c91ba123e9f404b9fad23b49a4e29f3cfd8d20a577a
* 90c7688e0dc23ba4530bac1d567bad920c4ef1c06cbf4b2d867eeb363271eefe
* 9102e564c3262b2c291e8ca3d67f8a55c06650aa86f617c919916f6053c03c9b
* 9327aa03760431b6d86eeb2f1a3efc36aa443b842b5116fbbe0f2a7794c4e70e
* 97286b6f3a6535ff1172ef65172e6967e3670c6b14a3313c3bf0d6c171b1fc85
* 98e28d3423f5d414effe3c0ed6fd0f1c8154942e5e127ecee5f051e1196ffc75
* 99c0bebdc8cb7b0948000a601f510fc70487f9da532be199b8641512a2db9839
* 9bdf49b27fd4d80ef087f63e0bfa0a0822686814863eca09ac506404ad76dfda
* b2588061ba5ee9948bbccd320b40c6d7b8d6a693d181f3bce61e5e267f53aa7e
* b936853a0c50a0cd0bc8b33103b55bd88e19c6c28768d990b954c11d714286ca
* f2429f4bd09897653d0ffa41206a14cafa55356d5edc04dc0915c116867f8c27
GO UP
BACK TO ALL POSTS
POPULAR POSTS
* Artificial Intelligence
* ChatGPT
* Check Point Research Publications
OPWNAI : Cybercriminals Starting to Use ChatGPT
* Check Point Research Publications
* Threat Research
Hacking Fortnite Accounts
* Artificial Intelligence
* ChatGPT
* Check Point Research Publications
OpwnAI: AI That Can Save the Day or HACK it Away
BLOGS AND PUBLICATIONS
* Check Point Research Publications
August 11, 2017
“THE NEXT WANNACRY” VULNERABILITY IS HERE
* Check Point Research Publications
January 11, 2018
‘RUBYMINER’ CRYPTOMINER AFFECTS 30% OF WW NETWORKS
* Check Point Research Publications
* Global Cyber Attack Reports
* Threat Research
February 17, 2020
“THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN
* Check Point Research Publications
August 11, 2017
“THE NEXT WANNACRY” VULNERABILITY IS HERE
* Check Point Research Publications
January 11, 2018
‘RUBYMINER’ CRYPTOMINER AFFECTS 30% OF WW NETWORKS
* Check Point Research Publications
* Global Cyber Attack Reports
* Threat Research
February 17, 2020
“THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN
* Check Point Research Publications
August 11, 2017
“THE NEXT WANNACRY” VULNERABILITY IS HERE
* 1
* 2
* 3
* Publications
* Global cyber attack reports
* Research publications
* IPS advisories
* Check point blog
* Demos
* Tools
* Sandblast file analysis
* ThreatCloud
* Threat Intelligence
* Zero day protection
* Live threat map
* About Us
* Contact Us
LET’S GET IN TOUCH
Subscribe for cpr blogs, news and more
Subscribe Now
© 1994-2024 Check Point Software Technologies LTD. All rights reserved.
Property of CheckPoint.com
Privacy Policy
SUBSCRIBE TO CYBER INTELLIGENCE REPORTS
First Name
Last Name
Country—Please choose an option—ChinaIndiaUnited
StatesIndonesiaBrazilPakistanNigeriaBangladeshRussiaJapanMexicoPhilippinesVietnamEthiopiaEgyptGermanyIranTurkeyDemocratic
Republic of the CongoThailandFranceUnited KingdomItalyBurmaSouth AfricaSouth
KoreaColombiaSpainUkraineTanzaniaKenyaArgentinaAlgeriaPolandSudanUgandaCanadaIraqMoroccoPeruUzbekistanSaudi
ArabiaMalaysiaVenezuelaNepalAfghanistanYemenNorth
KoreaGhanaMozambiqueTaiwanAustraliaIvory CoastSyriaMadagascarAngolaCameroonSri
LankaRomaniaBurkina
FasoNigerKazakhstanNetherlandsChileMalawiEcuadorGuatemalaMaliCambodiaSenegalZambiaZimbabweChadSouth
SudanBelgiumCubaTunisiaGuineaGreecePortugalRwandaCzech
RepublicSomaliaHaitiBeninBurundiBoliviaHungarySwedenBelarusDominican
RepublicAzerbaijanHondurasAustriaUnited Arab
EmiratesIsraelSwitzerlandTajikistanBulgariaHong Kong (China)SerbiaPapua New
GuineaParaguayLaosJordanEl SalvadorEritreaLibyaTogoSierra
LeoneNicaraguaKyrgyzstanDenmarkFinlandSlovakiaSingaporeTurkmenistanNorwayLebanonCosta
RicaCentral African RepublicIrelandGeorgiaNew ZealandRepublic of the
CongoPalestineLiberiaCroatiaOmanBosnia and HerzegovinaPuerto
RicoKuwaitMoldovMauritaniaPanamaUruguayArmeniaLithuaniaAlbaniaMongoliaJamaicaNamibiaLesothoQatarMacedoniaSloveniaBotswanaLatviaGambiaKosovoGuinea-BissauGabonEquatorial
GuineaTrinidad and
TobagoEstoniaMauritiusSwazilandBahrainTimor-LesteDjiboutiCyprusFijiReunion
(France)GuyanaComorosBhutanMontenegroMacau (China)Solomon IslandsWestern
SaharaLuxembourgSurinameCape VerdeMaltaGuadeloupe (France)Martinique
(France)BruneiBahamasIcelandMaldivesBelizeBarbadosFrench Polynesia
(France)VanuatuNew Caledonia (France)French Guiana (France)Mayotte
(France)SamoaSao Tom and PrincipeSaint LuciaGuam (USA)Curacao (Netherlands)Saint
Vincent and the GrenadinesKiribatiUnited States Virgin Islands
(USA)GrenadaTongaAruba (Netherlands)Federated States of MicronesiaJersey
(UK)SeychellesAntigua and BarbudaIsle of Man (UK)AndorraDominicaBermuda
(UK)Guernsey (UK)Greenland (Denmark)Marshall IslandsAmerican Samoa (USA)Cayman
Islands (UK)Saint Kitts and NevisNorthern Mariana Islands (USA)Faroe Islands
(Denmark)Sint Maarten (Netherlands)Saint Martin (France)LiechtensteinMonacoSan
MarinoTurks and Caicos Islands (UK)Gibraltar (UK)British Virgin Islands
(UK)Aland Islands (Finland)Caribbean Netherlands (Netherlands)PalauCook Islands
(NZ)Anguilla (UK)Wallis and Futuna (France)TuvaluNauruSaint Barthelemy
(France)Saint Pierre and Miquelon (France)Montserrat (UK)Saint Helena, Ascension
and Tristan da Cunha (UK)Svalbard and Jan Mayen (Norway)Falkland Islands
(UK)Norfolk Island (Australia)Christmas Island (Australia)Niue (NZ)Tokelau
(NZ)Vatican CityCocos (Keeling) Islands (Australia)Pitcairn Islands (UK)
Email
WE VALUE YOUR PRIVACY!
BFSI uses cookies on this site. We use cookies to enable faster and easier
experience for you. By continuing to visit this website you agree to our use of
cookies.
ACCEPT
REJECT
This website uses cookies in order to optimize your user experience as well as
for advertising and analytics. For further information, please read our Privacy
Policy and ourCookie Notice.
DISMISS
Manage Preferences
404 Not Found
404 NOT FOUND
--------------------------------------------------------------------------------
nginx
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
PERFORMANCE COOKIES
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices