EncryptHub Exposed: 600+ Targets Hit by LARVA-208

A new and highly sophisticated threat actor, LARVA-208, also known as EncryptHub, has been launching targeted spear-phishing attacks since June 26, 2024. According to a report from CATALYST, this group has been exploiting social engineering, phishing sites, and remote monitoring tools to infiltrate corporate networks and deploy ransomware.

LARVA-208 differentiates itself by relying on highly convincing social engineering techniques. Rather than relying solely on email phishing, they use smishing (SMS phishing) and vishing (voice phishing) to gain initial access.

“In the attacks it has carried out, it exhibits a different operational strategy by carrying out all the processes necessary to obtain initial access through personalized SMS (smishing) or by calling the person directly (vishing) and tricking the victim into installing remote monitoring and management (RMM) software,” the report explains.

Once an employee is convinced they are speaking with an IT staff member, they are guided to enter their VPN credentials on a fraudulent phishing site or install RMM software such as AnyDesk, Atera, GoTo Resolve, ScreenConnect, and TeamViewer.

LARVA-208 has acquired at least 70 domain names that impersonate VPN login portals from Cisco, Palo Alto, and Fortinet to steal employee credentials.

“Threat actor has purchased 70 domain names that imitate VPN products, including those from Cisco, Palo Alto, and Fortinet, and have used these domains in their attacks,” the report warns.

This approach enables attackers to bypass multifactor authentication (MFA) by harvesting the victim’s one-time passcodes (OTPs) during real-time phone conversations. Once the credentials are stolen, the victim is redirected to the real VPN login page to avoid suspicion.

Another attack vector used by LARVA-208 involves the manipulation of Microsoft Teams links. Instead of replicating a fake Microsoft login page, they abuse open redirect vulnerabilities on Microsoft’s own domains to intercept user credentials.

“Rather than creating a phishing page by replicating Microsoft’s login interface, LARVA-208 exploits Open URL Redirection parameters on microsoftonline.com to harvest victims’ email addresses, usernames, and passwords.”

Once LARVA-208 has gained access to a system, they deploy various info-stealers using custom-developed PowerShell scripts. Some of the notable malware families they leverage include:

• StealC
• Rhadamanthys
• Fickle Stealer

These stealers extract browser-stored credentials, session tokens, and system information, which are then exfiltrated to the attacker’s Command & Control (C2) servers. “In most attacks conducted by LARVA-208, ransomware was utilized in the final stage to encrypt the victim’s device and demand a ransom.”

After harvesting credentials and exfiltrating sensitive data, LARVA-208 deploys ransomware payloads to encrypt files and demand cryptocurrency payments. The ransomware, dubbed Locker.ps1, uses AES encryption to lock victim files and leaves a ransom note directing victims to contact the attackers via Telegram.

The ransom note instructs the victim to contact the Telegram user t.me/encrypthub to facilitate the ransom payment. Additionally, LARVA-208 has been observed using RansomHub and BlackSuit ransomware in its campaigns.

The CATALYST report indicates that LARVA-208 has compromised at least 618 organizations since June 2024. Many of these incidents resulted in full ransomware deployment, leading to widespread data loss and operational disruptions.

Related Posts:

• Smishing Triad Targets Pakistan with Large-Scale Banking Scam
• Cyber Alert: Smishing Triad Gang’s Fake UAE Authority SMS Scam
• Voice Phishing on Microsoft Teams Facilitates DarkGate Malware Attack
• FakeCall Malware: Sophisticated Vishing Attack Targets Mobile Users in Banking Fraud
• STAC5143 and STAC5777: New Ransomware Campaigns Target Microsoft Office 365 Users