BleepingComputer reports that attacks spreading the new NodeSnake remote access trojan have been launched by the Interlock ransomware operation against UK universities in January and March.
Interlock commenced intrusions with the distribution of phishing emails with links or attachments leading to the deployment of the JavaScript-based NodeSnake malware, according to a QuorumCyber analysis. After ensuring persistence via PowerShell or CMD scripts and maintaining stealth through console tampering and XOR encryption, NodeSnake RAT then exfiltrates system metadata, ends active processes, and launches further payloads on targeted devices. Interlock also created an updated version of NodeSnake RAT, which has been improved to allow CMD command execution and the usage of more modules for dynamic C2 polling behavior modifications, indicating ongoing malware development, according to researchers. Such findings come after Interlock, which also harnessed ClickFix attack tactics, was reported to have targeted Ohio-based medical network Kettering Health, dialysis provider DaVita, and the Texas Tech University.
Interlock commenced intrusions with the distribution of phishing emails with links or attachments leading to the deployment of the JavaScript-based NodeSnake malware, according to a QuorumCyber analysis. After ensuring persistence via PowerShell or CMD scripts and maintaining stealth through console tampering and XOR encryption, NodeSnake RAT then exfiltrates system metadata, ends active processes, and launches further payloads on targeted devices. Interlock also created an updated version of NodeSnake RAT, which has been improved to allow CMD command execution and the usage of more modules for dynamic C2 polling behavior modifications, indicating ongoing malware development, according to researchers. Such findings come after Interlock, which also harnessed ClickFix attack tactics, was reported to have targeted Ohio-based medical network Kettering Health, dialysis provider DaVita, and the Texas Tech University.
