Malware

RedEnergy Stealer-as-a-Ransomware employed in attacks in the wild

RedEnergy is a sophisticated stealer-as-a-ransomware that was employed in attacks targeting energy utilities, oil, gas, telecom, and machinery sectors.

Zscaler ThreatLabz researchers discovered a new Stealer-as-a-Ransomware named RedEnergy used in attacks against energy utilities, oil, gas, telecom, and machinery sectors.

The malware allows operators to steal information from various browsers, it also supports ransomware capabilities.

Threat actors are distributing the threat masqueraded as fake web browser updates.

“The sample Stealer-as-a-Ransomware variant analyzed in this case study employs a deceptive FAKEUPDATES campaign to lure in its targets, tricking them into promptly updating their browsers. Once inside the system, this malicious variant stealthily extracts sensitive information and proceeds to encrypt the compromised files.” reads the analysis published by Zscaler.

Threat actors used reputable LinkedIn pages to target victims, including the Philippines Industrial Machinery Manufacturing Company and multiple organizations in Brazil. 

Threat actors employ a multi-stage attack chain, the attack starts when users click to visit the targeted company’s website through their LinkedIn profile.

The users are redirected to a rogue website that instructs them into installing a seemingly legitimate browser update. The downloaded file is an executable file known as RedStealer.

Regardless of which browser icon the user clicks on, they are redirected to the same URL (www[.]igrejaatos2[.]org/assets/programs/setupbrowser.exe) which downloads the file setupbrowser.exe.

“What makes this threat campaign even more insidious is the use of a deceptive download domain called www[.]igrejaatos2[.]org. This domain serves as a disguise, presenting itself as a ChatGpt site to lure victims into downloading a fake offline version of ChatGpt.” continues the analysis. “However, upon downloading the purported ChatGpt zip file, the victim unknowingly obtains the same malicious executable mentioned earlier.”

The RedEnergy sample analyzed by the researchers is written in .NET file, it supports advanced capabilities to evade detection and anti-analysis features. The malware communicates with the command and control servers through HTTPS.

The malware maintains persistence by storing the files in the Windows startup directory and creating an entry within the start menu (Start Menu\Programs\Startup).

The researchers also observed a suspicious activity involving File Transfer Protocol (FTP), a circumstance that suggests threat actors used the protocol for data exfiltration.

In the last stage of the attack, the stealer uses the ransomware modules to encrypt the user’s data. It appends the “.FACKOFF!” extension to encrypted files and deletes backups.

“The final stage of the malware execution involves the deletion of shadow drive data and Windows backup plans, solidifying its ransomware characteristics. A batch file is executed, and a ransom note is dropped, demanding payment in exchange for decrypting the files. Furthermore, the malware exhibits stealer functionalities, enabling the theft of user data.” concludes the report which also includes Indicators of Compromise (IOCs). “Overall, this analysis highlights the evolving and highly sophisticated nature of cyber threats targeting various industries and organizations. It emphasizes the critical importance of implementing robust security measures, fostering user awareness, and ensuring prompt incident response to effectively mitigate the impact of such attacks. By remaining vigilant and implementing comprehensive cybersecurity strategies, businesses can better protect themselves against these malicious campaigns and safeguard their valuable data.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RedStealer)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Apple, Oracle Agile PLM bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple, Oracle Agile PLM bugs to its…

13 hours ago

More than 2,000 Palo Alto Networks firewalls hacked exploiting recently patched zero-days

Threat actors already hacked thousands of Palo Alto Networks firewalls exploiting recently patched zero-day vulnerabilities.…

17 hours ago

Ransomhub ransomware gang claims the hack of Mexican government Legal Affairs Office

Mexico is investigating a ransomware attack targeting its legal affairs office, as confirmed by the…

1 day ago

US DoJ charges five alleged members of the Scattered Spider cybercrime gang

The U.S. Justice Department charged five suspects linked to the Scattered Spider cybercrime gang with…

1 day ago

Threat actor sells data of over 750,000 patients from a French hospital

A threat actor had access to electronic patient record system of an unnamed French hospital,…

2 days ago

Decade-old local privilege escalation bugs impacts Ubuntu needrestart package<gwmw style="display:none;"></gwmw>

Decade-old flaws in the needrestart package in Ubuntu Server could allow local attackers to gain…

2 days ago

This website uses cookies.