Ethical Hacking News
A new PHP-based variant of the Interlock ransomware group's remote access trojan (RAT) has emerged as part of a widespread campaign using a modified version of the FileFix delivery mechanism. This variant, which leverages PHP to gain and maintain access to victim networks, poses significant risks due to its opportunistic nature. Organizations must remain vigilant against emerging threats such as this Interlock RAT campaign to safeguard their security.
The Interlock RAT campaign uses a modified version of the FileFix delivery mechanism to deploy its PHP-based interlock ransomware group's remote access trojan (RAT) variant.The campaign begins with compromised websites injected with a single-line script that redirects users to fake CAPTCHA verification pages leading to the deployment of NodeSnake (aka Interlock RAT).The new PHP variant of the Interlock RAT has been observed deploying Windows operating system features, including the ability to instruct victims into copying and executing commands using the File Explorer's address bar feature.The malware establishes contact with a remote server to download and run EXE or DLL payloads and uses Cloudflare Tunnel subdomains to obscure its C2 server location.The Interlock RAT campaign highlights the importance of threat intelligence in monitoring and countering malicious activities, and organizations must remain vigilant against opportunistic attacks across multiple industries.
The threat landscape continues to evolve with new and sophisticated malware variants emerging, posing significant risks to organizations across multiple industries. The latest development in this regard is the emergence of a new PHP-based interlock ransomware group's remote access trojan (RAT) variant, dubbed Interlock RAT, which has been observed deploying its bespoke malicious payload using a modified version of the FileFix delivery mechanism. This variant, which leverages the popularity of PHP as a web scripting language to gain and maintain access to victim networks, is of particular concern due to its opportunistic nature.
According to a recent technical analysis published by The DFIR Report in collaboration with Proofpoint, the Interlock RAT campaign began with compromised websites injected with a single-line script hidden in the page's HTML. This JavaScript code acts as a traffic distribution system (TDS), using IP filtering techniques to redirect users to fake CAPTCHA verification pages that leverage ClickFix to entice them into running a PowerShell script leading to the deployment of NodeSnake (aka Interlock RAT). The use of NodeSnake by Interlock was previously documented by Quorum Cyber as part of cyber attacks targeting local government and higher education organizations in the United Kingdom in January and March 2025.
The new PHP variant of the Interlock RAT, which is deployed via the FileFix delivery mechanism, has been observed to be a significant departure from its Node.js counterparts. The evolution of this malicious tooling highlights the continued sophistication of the threat actors behind the Interlock group. According to The DFIR Report's analysis, "This updated delivery mechanism has been observed deploying the PHP variant of the Interlock RAT, which in certain cases has then led to the deployment of the Node.js variant of the Interlock RAT."
The FileFix variant leverages Windows operating system features, particularly the ability to instruct victims into copying and executing commands using the File Explorer's address bar feature. Security researcher mrd0x detailed a proof-of-concept (PoC) version of this mechanism last month, which is now being used by the Interlock RAT to carry out reconnaissance on infected hosts and exfiltrate system information in JSON format.
Once installed, the RAT malware establishes contact with a remote server to download and run EXE or DLL payloads. Persistence on the machine is accomplished via Windows Registry changes, while the Remote Desktop Protocol (RDP) is used to enable lateral movement. A noteworthy feature of the trojan is its abuse of Cloudflare Tunnel subdomains to obscure the true location of the command-and-control (C2) server.
Furthermore, the malware embeds hard-coded IP addresses as a fallback mechanism so as to ensure that communication remains intact even if the Cloudflare Tunnel is taken down. According to The DFIR Report's analysis, "This discovery highlights the continued evolution of the Interlock group's tooling and their operational sophistication."
The emergence of this PHP-based variant underscores the ever-increasing importance of threat intelligence in monitoring and countering malicious activities. It also serves as a stark reminder that organizations must remain vigilant against opportunistic attacks across multiple industries.
In light of these findings, it is imperative for organizations to update their security protocols to address emerging threats such as the Interlock RAT campaign. Implementing robust threat detection systems, conducting regular security audits, and staying informed about emerging malware variants are crucial measures in safeguarding against such malicious activities.
Related Information:
https://www.ethicalhackingnews.com/articles/New-PHP-Based-Interlock-RAT-Variant-Sparks-Concern-Over-Opportunistic-Attacks-on-Multiple-Industries-ehn.shtml
https://thehackernews.com/2025/07/new-php-based-interlock-rat-variant.html
Published: Mon Jul 14 14:18:58 2025 by llama3.2 3B Q4_K_M
