Hackers have adopted the brand new method known as ‘FileFix’ in Interlock ransomware assaults to drop a distant entry trojan (RAT) on focused methods.
Interlock ransomware operations have elevated over the previous months because the risk actor began utilizing the KongTuke internet injector (aka ‘LandUpdate808’) to ship payloads by compromised web sites.
This shift in modus operandi was noticed by researchers at The DFIR Report and Proofpoint since Could. Again then, guests of compromised websites had been prompted to go a faux CAPTCHA + verification, after which paste right into a Run dialog content material robotically saved to the clipboard, a tactic according to ClickFix assaults.
The trick led customers to execute a PowerShell script that fetched and launched a Node.js-based variant of the Interlock RAT.
In June, researchers discovered a PHP-based variant of Interlock RAT used within the wild, which was delivered utilizing the identical KongTuke injector.
Earlier this month, a big change within the supply wrapper occurred, with Interlock now switching to the FileFix variation of the ClickFix technique as the popular supply technique.
Supply: The DFIR Report
FileFix is a social engineering assault method developed by safety researcher mr.d0x. It is an evolution of the ClickFix assault, which turned some of the broadly employed payload distribution strategies over the previous yr.
Within the FileFix variation, the attacker weaponizes trusted Home windows UI components, reminiscent of File Explorer and HTML Purposes (.HTA), to trick customers into executing malicious PowerShell or JavaScript code with out displaying any safety warnings.
Customers are prompted to “open a file” by pasting a copied string into File Explorer’s deal with bar. The string is a PowerShell command disguised to appear to be a file path utilizing remark syntax.
Within the current Interlock assaults, targets are requested to stick a command disguised with a faux file path onto File Explorer, resulting in the downloading of the PHP RAT from ‘trycloudflare.com’ and its execution on the system.
Put up-infection, the RAT executes a collection of PowerShell instructions to collect system and community data and exfiltrates this information as structured JSON to the attacker.
The DFIR Report additionally mentions proof of interactive exercise, together with Energetic Listing enumeration, checking for backups, navigating native directories, and inspecting area controllers.
The command and management (C2) server can ship shell instructions for the RAT to execute, introduce new payloads, add persistence through a Registry run key, or transfer laterally through distant desktop (RDP).
Interlock ransomware launched in September 2024, claiming notable victims just like the Texas Tech College, DaVita, and Kettering Well being.
The ransomware operation leveraged ClickFix to contaminate targets, however its pivoting to FileFix signifies that the attacker is fast to adapt to stealthier assault strategies.
That is the primary public affirmation of FileFix being utilized in precise cyberattacks. It’s prone to acquire extra recognition as risk actors discover methods to include it into their assault chains.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key methods utilized by cloud-fluent risk actors.
