A highly malicious stealer ransomware by the name REdEnergy has been seen on the rise targeting various energy utilities in the oil & gas industry, and the telecommunications company in Brazil and the Philippines.
Image source: Pixabay
The threat which targets these industries LinkedIn pages, is sophisticated enough to steal credentials from various web-browsers, enabling the exfiltration of personal sensitive data, while adopting different modules for propagating the malware activities.
Goal of the REdEnergy Malware:
As stated by researchers, the goal of the REdEnergy malware, is to encrypt data theft with their ultimate grand scheme of inflicting damage to the victims compromised.
The first step of the multi-stage malware propagation is to trick victims with a FakeUpdate (SocGholish) campaign advising victims to download JavaScript-based malware under the trick that it updates their current browser version.
HOW IS THE MALWARE DISTRIBUTED?
The method which applies a form of social engineering, use the LinkedIn pages of reputable persons to target their victims.
A malicious link which redirects users who click on them to another website, prompts them to update their web-browsers, by clicking to the corresponding icon of their browser (e.g., Google Chrome, Microsoft Edge, Mozilla Firefox, or Opera) to download the executables.
The downloaded file which is the malicious executables is then installed on their device. After a successful installation, the malicious binary file is then utilized as a persistence, which also actually performs the browser update, and drop a stealer capable of stealthy, by harvesting sensitive data and in turn encrypts the stolen files, leaving the victims at risk of breaching the TRIAD
According to Zscaler it is discovered that the suspicious interaction takes place via the FTP protocol, which raise the suspicion that sensitive data of value are being exfiltrated to a malicious-server owned by the attacker.
END GAME OF THE MALWARE:
The end game of the malware, is to encrypt the users (victim’s) data, with a file extension of “*FACKOFF!” to each of the file that was successfully encrypted.
It then deletes the users’ original files (uncorrupted file) in their existing backups in the system, and then finally drops a ransom note on each folder that contains the encrypted file.
In summary FixitgearwareSecurity advises users to be very suspicious of malicious links, they click or visit and if they are not sure of a particular link or have a bad feeling about a page, they should desist from visiting them. Always update not just your browsers but other installed applications from vendors legitimate websites.
Also, even when you update these applications from the appropriate vendors website, always lookout for the community interactive forums, for possible security information’s and update related news.
Put your comments below in the comment section on your thoughts about this.