The Zscaler ThreatLabz security team has issued a warning about a new malware variant called RedEnergy Stealer, which has been categorized as a hybrid Stealer-as-a-Ransomware (SaaR) threat. This new malware category combines data theft with encryption, allowing it to inflict maximum damage on the victim. The new stealer uses a fake browser update campaign to target vertical industries such as utilities, oil and gas, and telecommunications providers. The malware has the ability to steal information from different browsers and is therefore able to extract sensitive data. Additionally, the stealer includes various modules for performing ransomware activities. Attacked companies face the loss of sensitive data,
The stealer variant studied by ThreatLabZ analysts uses a deceptive Fake Updates campaign to trick people in targeted companies into updating their browsers. The redirection technique is used for this. When trying to access a company website via their LinkedIn profile, unsuspecting users are redirected to a website with malicious code. There they are prompted to install an apparently legitimate browser update using four different browser icons. Instead of a real update, however, the RedEnergy Stealer executable file is loaded onto your system.
The malware works in several stages and starts executing malicious files disguised as browser update hiding behind various popular browsers like Google Chrome, Microsoft Edge, Firefox or Opera. The attack is carried out superficially hidden behind a real certificate to inspire trust in the user. In the second phase, data is reloaded and persistence in the system is ensured. The malware installs four files on the victim’s system, two of which are executable and follow the same naming principle. Only one of the files carries the actual payload, which is loaded in the background while the other files mimic the browser update process. To ensure the desired persistence in the system, malicious,
Suspicious FTP interactions indicate possible data exfiltration and unauthorized file uploads. The malware contains ransomware modules that steal user data with the “.FACKOFF!” extension. encrypt them so that they are no longer accessible until a ransom is paid. It also modifies the desktop.ini file to bypass detection and change file system folder display settings. In the final phase, the malware deletes shadow drive data and Windows backup plans, thereby reinforcing ransomware characteristics. RedEnergy Stealer drops a batch file and ransom note on affected systems, demanding payment for decrypting the files.
Conclusion
The technical analysis of the malware has revealed its dual functionality as a stealer and ransomware and represents an alarming development compared to conventional attacks. The attack campaigns analyzed show the further development of attack methods and a specialization in different industries and organizations. These novel Stealer as a Ransomware campaigns underline the importance of robust security measures and the need to raise user awareness of novel attack patterns.
