Hackers have adopted the brand new approach referred to as ‘FileFix’ in Interlock ransomware assaults to drop a distant entry trojan (RAT) on focused programs.
Interlock ransomware operations have elevated over the previous months because the menace actor began utilizing the KongTuke net injector (aka ‘LandUpdate808’) to ship payloads by means of compromised web sites.
This shift in modus operandi was noticed by researchers at The DFIR Report and Proofpoint since Could. Again then, guests of compromised websites have been prompted to cross a faux CAPTCHA + verification, after which paste right into a Run dialog content material robotically saved to the clipboard, a tactic in step with ClickFix assaults.
The trick led customers to execute a PowerShell script that fetched and launched a Node.js-based variant of the Interlock RAT.
In June, researchers discovered a PHP-based variant of Interlock RAT used within the wild, which was delivered utilizing the identical KongTuke injector.
Earlier this month, a major change within the supply wrapper occurred, with Interlock now switching to the FileFix variation of the ClickFix methodology as the popular supply methodology.
Supply: The DFIR Report
FileFix is a social engineering assault approach developed by safety researcher mr.d0x. It is an evolution of the ClickFix assault, which turned one of the broadly employed payload distribution strategies over the previous 12 months.
Within the FileFix variation, the attacker weaponizes trusted Home windows UI components, corresponding to File Explorer and HTML Purposes (.HTA), to trick customers into executing malicious PowerShell or JavaScript code with out displaying any safety warnings.
Customers are prompted to “open a file” by pasting a copied string into File Explorer’s tackle bar. The string is a PowerShell command disguised to appear to be a file path utilizing remark syntax.
Within the current Interlock assaults, targets are requested to stick a command disguised with a faux file path onto File Explorer, resulting in the downloading of the PHP RAT from ‘trycloudflare.com’ and its execution on the system.
Put up-infection, the RAT executes a collection of PowerShell instructions to collect system and community info and exfiltrates this knowledge as structured JSON to the attacker.
The DFIR Report additionally mentions proof of interactive exercise, together with Lively Listing enumeration, checking for backups, navigating native directories, and analyzing area controllers.
The command and management (C2) server can ship shell instructions for the RAT to execute, introduce new payloads, add persistence by way of a Registry run key, or transfer laterally by way of distant desktop (RDP).
Interlock ransomware launched in September 2024, claiming notable victims just like the Texas Tech College, DaVita, and Kettering Well being.
The ransomware operation leveraged ClickFix to contaminate targets, however its pivoting to FileFix signifies that the attacker is fast to adapt to stealthier assault strategies.
That is the primary public affirmation of FileFix being utilized in precise cyberattacks. It’s more likely to acquire extra recognition as menace actors discover methods to include it into their assault chains.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key strategies utilized by cloud-fluent menace actors.