Intrusions exploiting the FileFix technique have been launched by the Interlock ransomware gang to facilitate the spread of a new PHP-based version of its remote access trojan as part of a massive campaign that commenced in May, reports The Hacker News.
Interlock leveraged Windows' ability to allow File Explorer command copying and execution capability to deploy the RAT payload, which not only enables reconnaissance and system data theft but also privilege checking and remote server communications for subsequent EXE or DLL payload retrieval and execution, according to a joint analysis by researchers from The DFIR Report and Proofpoint. Aside from modifying Windows Registry for persistence and leveraging Remote Desktop Protocol for lateral movement, Interlock's updated RAT also harnesses Cloudflare Tunnel subdomains to conceal its command-and-control server's location while using hard-coded IP addresses to maintain communications in the event of Cloudflare Tunnel disruption, the report noted. "This discovery highlights the continued evolution of the Interlock group's tooling and their operational sophistication," said researchers.
Interlock leveraged Windows' ability to allow File Explorer command copying and execution capability to deploy the RAT payload, which not only enables reconnaissance and system data theft but also privilege checking and remote server communications for subsequent EXE or DLL payload retrieval and execution, according to a joint analysis by researchers from The DFIR Report and Proofpoint. Aside from modifying Windows Registry for persistence and leveraging Remote Desktop Protocol for lateral movement, Interlock's updated RAT also harnesses Cloudflare Tunnel subdomains to conceal its command-and-control server's location while using hard-coded IP addresses to maintain communications in the event of Cloudflare Tunnel disruption, the report noted. "This discovery highlights the continued evolution of the Interlock group's tooling and their operational sophistication," said researchers.
