New Stealer-as-a-Ransomware Delivered Through Fake Updates

Recently, the cybersecurity analysts at Zscaler found a new variant of malware, RedEnergy, a new hybrid Stealer-as-a-Ransomware threat.

RedEnergy stealer targets industries through fake updates, stealing data from browsers, exfiltrating sensitive information, and utilizing ransomware modules.

EHA

The most recent detection of the RedEnergy stealer unveils a powerful blend of stealthy data theft and encryption designed to cause extensive harm and establish complete control over its targets.

It targets multiple industries, and here below, we have mentioned them:-

  • Energy utilities
  • Oil
  • Gas
  • Telecom
  • Machinery

Using a deceptive FAKEUPDATES campaign, the Stealer-as-a-Ransomware variant lures targets into updating their browsers promptly.

After infiltrating the system, this malicious variant extracts data and encrypts files, leaving victims at risk of data loss, exposure, or sale of valuable information.

Stealer-as-a-Ransomware Campaign Analysis

Zscaler found a RedEnergy stealer targeting the Philippines Industrial Machinery Manufacturing Company and other industries with prominent LinkedIn pages.

Essential company info and website links on these pages lure cybercriminals and the deceptive redirection technique used in this threat campaign.

Users visiting the targeted company’s website from LinkedIn get redirected to a malicious site.

They’re tricked into installing a fake browser update disguised as four different browser icons, and instead, they unwittingly download the RedStealer executable file.

browser Extensions showcased

Regardless of the browser icon clicked, users are redirected to the following address:-

  • www[.]igrejaatos2[.]org/assets/programs/setupbrowser.exe 

While this URL mainly triggers the download of a component of the malicious payload, which is “setupbrowser.exe.”

Malicious URL

The threat campaign employs a deceptive download domain, www[.]igrejaatos2[.]org, pretending to be a “ChatGPT” site. 

This site tricks the victims and makes them download the fake offline version of the “ChatGPT.”

Now here, at this point, the victims obtain the same malicious executable disguised as the ChatGpt zip file.

Fake ChatGPT

Apart from finding the threat campaign against the Philippines Industrial Machinery Manufacturing Company, Zscaler’s extensive search revealed other FAKEUPDATES campaigns.

These campaigns share traits and techniques, suggesting a coordinated cybercriminal effort.

A campaign impersonating a major Brazilian telecom company does the same as the previous one. Victims are directed to the same webpage and then download the exact executable file from:-

  • www[.]igrejaatos2[.]org/assets/programs/setupbrowser.exe

This observation suggests that attackers commonly employ the practice of reusing infrastructure and tactics, intending to generate larger effects and increase profits.

Malware Infection chain

The investigated RedEnergy malware has dual functionality:-

To avoid detection and make analysis more challenging, the author of this malware deliberately obfuscates the sophisticated .NET file.

Using HTTPS, the malware establishes encrypted and obfuscated communication with command and control servers, resulting in improved encryption and obfuscation techniques.

Attack Chain

While the complete infection chain involves three different stages, and here they are mentioned below:-

  • Stage 1: Initial Startup
  • Stage 2: Dropping Files, Persistence, Outgoing Requests, Encrypted Files
  • Stage 3: Decryption Routine

The final payload of the infection chain drops the ransom note that is dubbed “read_it.txt.” While this note is left by the threat actors in all the encrypted folders, informing users of the ransom required for file release.

ransom Note

Based on the Zscaler analysis, it is clear that industries and organizations are confronted with constantly evolving and highly sophisticated cyber threats.

Trustifi AI-based email security Solution protecting business emails from advanced email threats: Tracking, Blocking, Modifying Clean Mail Box, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware.

To mitigate the impact, it is essential to have strong security measures in place, ensure user awareness, and respond promptly to incidents.

Through constant vigilance and implementing cybersecurity strategies, businesses can shield valuable data from such malicious campaigns.

Manage and secure Your Endpoints Efficiently – Free Download

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.