CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 730
- Points
- 113
Attackers deliver malicious software through fake LinkedIn pages.
Cybersecurity experts have discovered a new threat that targets companies in the energy, telecommunications and engineering sectors in Brazil and the Philippines. The RedEnergy ransomware is distributed through fake LinkedIn pages and can both encrypt victims ' data and steal them.
According to researchers from the company Zscaler, the virus has the ability to steal information from various browsers, acting as a classic infostiler. In addition, the malware includes various modules for conducting extortionate actions. The main goal of criminals is to effectively combine data theft with encryption in order to cause maximum damage to their victims.
The multi-stage attack begins with the "FakeUpdates" campaign (also known as SocGholish), which tricks users into downloading malicious JavaScript-based software under the guise of browser updates.
The changes in the campaign reviewed by the experts consist in using real LinkedIn pages to attract victims. Those who click on the phishing URL are redirected to a fake page that offers to update their browser by clicking on the corresponding icon (Google Chrome, Microsoft Edge, Mozilla Firefox or Opera). In this case, of course, a malicious executable file is downloaded.
After downloading and running the malware, it establishes its persistence in the system and loads the aforementioned RedEnergy, which is able to secretly collect, upload and encrypt victims ' files, exposing them to the risk of potential loss, disclosure or even sale.
Zscaler researchers reported that in the reviewed campaign, they found suspicious interactions over the FTP protocol, which indicates that it is used to forward data to attackers.
During the encryption process, the malware adds a fun ".FACKOFF!" extension to each file, deleting existing backups and leaving a ransom note in each folder. Victims are asked to pay 0.005 BTC (about $ 150 or 13,500 rubles) to the cryptocurrency wallet specified in the ransomware note in order to restore access to their files.
The small size of the ransom suggests that hackers want to increase their chances of receiving it, as well as capture ordinary users of home computers at the same time. And the dual purpose of RedEnergy as an information thief and ransomware cryptographer demonstrates a certain evolution of the cybercrime landscape.
Zscaler experts recommend that both individuals and businesses exercise extreme vigilance and caution when accessing websites, especially those linked to LinkedIn profiles. As well as paying attention to unexpected file uploads that users didn't initiate themselves.
Cybersecurity experts have discovered a new threat that targets companies in the energy, telecommunications and engineering sectors in Brazil and the Philippines. The RedEnergy ransomware is distributed through fake LinkedIn pages and can both encrypt victims ' data and steal them.
According to researchers from the company Zscaler, the virus has the ability to steal information from various browsers, acting as a classic infostiler. In addition, the malware includes various modules for conducting extortionate actions. The main goal of criminals is to effectively combine data theft with encryption in order to cause maximum damage to their victims.
The multi-stage attack begins with the "FakeUpdates" campaign (also known as SocGholish), which tricks users into downloading malicious JavaScript-based software under the guise of browser updates.
The changes in the campaign reviewed by the experts consist in using real LinkedIn pages to attract victims. Those who click on the phishing URL are redirected to a fake page that offers to update their browser by clicking on the corresponding icon (Google Chrome, Microsoft Edge, Mozilla Firefox or Opera). In this case, of course, a malicious executable file is downloaded.
After downloading and running the malware, it establishes its persistence in the system and loads the aforementioned RedEnergy, which is able to secretly collect, upload and encrypt victims ' files, exposing them to the risk of potential loss, disclosure or even sale.
Zscaler researchers reported that in the reviewed campaign, they found suspicious interactions over the FTP protocol, which indicates that it is used to forward data to attackers.
During the encryption process, the malware adds a fun ".FACKOFF!" extension to each file, deleting existing backups and leaving a ransom note in each folder. Victims are asked to pay 0.005 BTC (about $ 150 or 13,500 rubles) to the cryptocurrency wallet specified in the ransomware note in order to restore access to their files.
The small size of the ransom suggests that hackers want to increase their chances of receiving it, as well as capture ordinary users of home computers at the same time. And the dual purpose of RedEnergy as an information thief and ransomware cryptographer demonstrates a certain evolution of the cybercrime landscape.
Zscaler experts recommend that both individuals and businesses exercise extreme vigilance and caution when accessing websites, especially those linked to LinkedIn profiles. As well as paying attention to unexpected file uploads that users didn't initiate themselves.
