Cyber adversaries are constantly refining their techniques to bypass security defenses and achieve their malicious goals. Recently, security researchers have observed a concerning evolution in the methodology employed by the Interlock ransomware operation, highlighting a shift towards more stealthy and persistent initial access methods.
Interlock is a known player in the ransomware landscape, responsible for disrupting businesses and organizations. However, their latest observed tactic introduces a notable change in the attack chain, moving away from immediately deploying the final ransomware payload.
The notable shift involves leveraging a utility or dropper referred to as “FileFix.” Instead of directly deploying the ransomware payload, FileFix is used as an intermediary step. Its primary function in this attack chain appears to be the deployment of a newly identified PHP-based Remote Access Trojan (RAT).
A PHP RAT is a type of malicious software that runs on web servers or systems with PHP installed, granting attackers stealthy remote access and control. This provides a persistent backdoor into the compromised environment, making it particularly effective for compromising web infrastructure. By using FileFix to drop this PHP RAT, the attackers can establish a foothold and maintain covert access, potentially for reconnaissance, lateral movement, data exfiltration, or future attacks, long before any ransomware is deployed.
This multi-stage approach allows attackers to remain undetected for longer periods. They can explore the network, identify valuable data, and plan the final ransomware deployment strategically. The presence of the PHP RAT also means that even if the ransomware is mitigated, the attackers may still have persistent access to the network, posing a continued threat.
Understanding these evolving tactics is crucial for defense. Here are key steps organizations and individuals can take to protect themselves:
- Prioritize Patching: Ensure all operating systems, software, and particularly web server components (including PHP) are kept up-to-date with the latest security patches. Vulnerabilities are often the initial entry point for droppers like FileFix.
- Enhance Endpoint Security: Deploy and maintain robust endpoint detection and response (EDR) solutions alongside traditional antivirus. These tools can help detect and block the execution of malicious droppers and RATs.
- Implement Network Segmentation: Limit lateral movement within the network should one system, particularly a web server, be compromised. This can contain the spread of the RAT and prevent attackers from reaching critical assets.
- Fortify Web Server Security: Implement Web Application Firewalls (WAFs), conduct regular security audits, and monitor server logs for unusual activity, especially unexpected PHP file creations or process executions.
- Regular, Offline Backups: Maintain frequent backups of critical data and store them offline or air-gapped, making them inaccessible to both the RAT for potential data exfiltration and the final ransomware payload.
- Security Awareness Training: Educate employees about phishing, social engineering, and the risks of downloading files from untrusted sources, as these can be initial vectors used to get droppers like FileFix onto a system.
The use of tools like ‘FileFix’ to drop persistent malware like PHP RATs demonstrates the adaptability and increasing sophistication of groups like Interlock. Staying ahead of these threats requires a layered security approach, vigilance, and a commitment to cybersecurity best practices. By understanding the evolving attack methodologies, we can better protect our digital assets and infrastructure.
Source: https://securityaffairs.com/179919/cyber-crime/interlock-ransomware-group-deploys-new-php-based-rat-via-filefix.html
