Full Report
The Interlock ransomware gang is deploying a previously undocumented remote access trojan (RAT) named NodeSnake against educational institutes for persistent access to corporate networks. [...]
Analysis Summary
# Threat Actor: Interlock Ransomware Gang
## Attribution & Identity
The threat actor is identified as the **Interlock ransomware gang**. No specific national attribution is provided in the summary, but they are characterized by operational maturation demonstrated through the deployment of new custom tools.
## Activity Summary
Interlock has been observed conducting recent attacks against **educational institutions**. Their operations appear to be evolving, focusing on establishing long-term, stealthy persistence before deployment of their main ransomware payload.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing emails carrying malicious links or attachments.
- **Execution:** Infection leads to the deployment of the NodeSnake RAT, which is executed using NodeJS.
- **Persistence:** Establishes persistence using PowerShell or CMD scripts to write a deceptive Registry entry named 'ChromeUpdater' to impersonate Google Chrome's updater.
- **Evasion/Stealth:**
- Runs as a detached background process.
- Assigns random names to filenames and payloads.
- Cycles through Command-and-Control (C2) addresses with randomized delays.
- Employs heavy code obfuscation.
- Utilizes XOR encryption with a rolling key and random seeds.
- Performs console tampering to disrupt debug output.
- **Command and Control (C2):** Connection is routed through Cloudflare-proxied domains for obfuscation, although the initial C2 IP address is hardcoded.
- **Collection:** Collects key metadata about the user, running processes, services, and network configurations.
- **Defense Evasion/Execution (Post-Infection):** Can kill active processes or load additional EXE, DLL, or JavaScript payloads.
- **Remote Access/Interaction:** The newer NodeSnake variant can execute arbitrary CMD commands and use dynamic C2 polling modules, allowing for real-time shell interaction with results bundled in exfiltrated data.
## Targeting
- Sectors: **Educational institutions**.
- Geography: Not specified in detail, but targeting universities implies a broad, potentially international scope.
- Victims: Universities (general reference).
## Tools & Infrastructure
- Malware Families Used:
- **Interlock Ransomware** (Implied final payload).
- **NodeSnake RAT** (New JavaScript RAT utilizing NodeJS).
- Infrastructure (C2, domains, IPs):
- C2 traffic is routed through **Cloudflare-proxied domains**.
- Initial C2 IP addresses are **hardcoded** within the malware.
- **Defanged IPs/URLs:** N/A (Specific indicators of compromise are referenced in the external QuorumCyber report).
## Implications
The continuous development and deployment of advanced tools like NodeSnake RAT indicate that the Interlock gang is focused on **long-term, stealthy persistence** in victim environments. This progression suggests a sophisticated operation, increasing the risk of successful data exfiltration and subsequent ransomware deployment if preliminary monitoring fails.
## Mitigations
- Monitoring for the documented Indicators of Compromise (IoCs) associated with the NodeSnake RAT deployment.
- Implementing security controls to detect and block malicious phishing attempts (initial access vector).
- Monitoring for abnormal persistence mechanisms, specifically the creation of the 'ChromeUpdater' registry key, and processes running detached in the background.
- Blocking or scrutinizing traffic directed toward known C2 infrastructure or Cloudflare domains associated with this actor.