RedEnergy: a sophisticated Stealer-as-a-Ransomware threat
A new and highly sophisticated threat called RedEnergy has emerged, targeting energy utilities, oil, gas, telecom, and machinery sectors in Brazil and the Philippines. This threat combines the functionalities of a stealer and ransomware, posing a significant risk to its victims. Researchers at Zscaler have conducted a detailed analysis of RedEnergy, shedding light on its advanced capabilities and attack techniques.
RedEnergy possesses the ability to steal information from various browsers, allowing sensitive data to be exfiltrated. It also incorporates modules for carrying out ransomware activities. According to Shatak Jain and Gurkirat Singh, researchers at Zscaler, the attackers’ objective is to couple data theft with encryption, aiming to cause maximum harm to the victims.
The attack begins with a FakeUpdates campaign, leveraging social engineering tactics to trick users into downloading JavaScript-based malware disguised as web browser updates. However, what sets RedEnergy apart is its utilization of reputable LinkedIn pages to target victims.
Clicking on website URLs associated with these LinkedIn profiles redirects users to a deceptive landing page, where they are prompted to update their web browsers by clicking on the appropriate icon (Google Chrome, Microsoft Edge, Mozilla Firefox or Opera). Unfortunately, this results in the download of a malicious executable file.
Upon successful infiltration, the malicious binary establishes persistence, performs the actual browser update, and deploys a stealer component that secretly harvests sensitive information and encrypts stolen files. This combination leaves the victims vulnerable to potential data loss, exposure, or even the sale of their valuable data. Suspicious interactions observed over a File Transfer Protocol (FTP) connection indicate the possibility of exfiltrating valuable data to infrastructure controlled by the threat actors.
In the final stage of the attack, RedEnergy’s ransomware component encrypts the user’s data, appending the .FACKOFF! extension to each encrypted file, deletes existing backups, and drops a ransom note in every affected folder. To regain access to their files, victims are instructed to make a payment of 0.005 BTC (approximately $151) to a specified cryptocurrency wallet.
This dual functionality of RedEnergy as both a stealer and ransomware represents an alarming evolution in the cybercrime landscape.
Indicators of Compromise (IoCs)
| HASH/Domain |
|---|
| fb7883d3fd9347debf98122442c2a33e |
| www[.]igrejaatos2[.]org/assets/programs/setupbrowser[.]exe |
| cb533957f70b4a7ebb4e8b896b7b656c |
| 2no[.]co |
| 642dbe8b752b0dc735e9422d903e0e97 |
MITRE ATT&CK Map
| ID | Tactic | Technique |
|---|---|---|
| T1036 | Defense Evasion | Masquerading |
| T1185 | Collection | Browser Session Hijacking |
| T1070.006 | Defense Evasion | Timestomp |
| T1560 | Collection | Archive Collected Data |
| T1027 | Defense Evasion | Obfuscated Files or Information |
| T1562.001 | Defense Evasion | Disable or Modify Tools |