Recently, the cybersecurity analysts at Zscaler found a new variant of malware, RedEnergy, a new hybrid Stealer-as-a-Ransomware threat.
RedEnergy stealer targets industries through fake updates, stealing data from browsers, exfiltrating sensitive information, and utilizing ransomware modules.
The most recent detection of the RedEnergy stealer unveils a powerful blend of stealthy data theft and encryption designed to cause extensive harm and establish complete control over its targets.
It targets multiple industries, and here below, we have mentioned them:-
Using a deceptive FAKEUPDATES campaign, the Stealer-as-a-Ransomware variant lures targets into updating their browsers promptly.
After infiltrating the system, this malicious variant extracts data and encrypts files, leaving victims at risk of data loss, exposure, or sale of valuable information.
Stealer-as-a-Ransomware Campaign Analysis
Zscaler found a RedEnergy stealer targeting the Philippines Industrial Machinery Manufacturing Company and other industries with prominent LinkedIn pages.
Essential company info and website links on these pages lure cybercriminals and the deceptive redirection technique used in this threat campaign.
They’re tricked into installing a fake browser update disguised as four different browser icons, and instead, they unwittingly download the RedStealer executable file.
Regardless of the browser icon clicked, users are redirected to the following address:-
While this URL mainly triggers the download of a component of the malicious payload, which is “setupbrowser.exe.”
The threat campaign employs a deceptive download domain, www[.]igrejaatos2[.]org, pretending to be a “ChatGPT” site.
This site tricks the victims and makes them download the fake offline version of the “ChatGPT.”
Now here, at this point, the victims obtain the same malicious executable disguised as the ChatGpt zip file.
Apart from finding the threat campaign against the Philippines Industrial Machinery Manufacturing Company, Zscaler’s extensive search revealed other FAKEUPDATES campaigns.
These campaigns share traits and techniques, suggesting a coordinated cybercriminal effort.
A campaign impersonating a major Brazilian telecom company does the same as the previous one. Victims are directed to the same webpage and then download the exact executable file from:-
This observation suggests that attackers commonly employ the practice of reusing infrastructure and tactics, intending to generate larger effects and increase profits.
Malware Infection chain
The investigated RedEnergy malware has dual functionality:-
To avoid detection and make analysis more challenging, the author of this malware deliberately obfuscates the sophisticated .NET file.
Using HTTPS, the malware establishes encrypted and obfuscated communication with command and control servers, resulting in improved encryption and obfuscation techniques.
While the complete infection chain involves three different stages, and here they are mentioned below:-
Stage 1: Initial Startup
Stage 2: Dropping Files, Persistence, Outgoing Requests, Encrypted Files
Stage 3: Decryption Routine
The final payload of the infection chain drops the ransom note that is dubbed “read_it.txt.” While this note is left by the threat actors in all the encrypted folders, informing users of the ransom required for file release.
Based on the Zscaler analysis, it is clear that industries and organizations are confronted with constantly evolving and highly sophisticated cyber threats.
Trustifi AI-based email security Solution protecting business emails from advanced email threats: Tracking, Blocking, Modifying Clean Mail Box, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware.
To mitigate the impact, it is essential to have strong security measures in place, ensure user awareness, and respond promptly to incidents.
Through constant vigilance and implementing cybersecurity strategies, businesses can shield valuable data from such malicious campaigns.
Manage and secure Your Endpoints Efficiently – Free Download
The post New Stealer-as-a-Ransomware Delivered Through Fake Updates appeared first on Cyber Security News.
Cyber Security News