Advanced dubbed thief-as-ransomware threat Red Energy have been seen in the wild targeting the energy utilities, oil, gas, telecommunications, and engineering sectors in Brazil and the Philippines via their LinkedIn pages.
The malware “has the ability to steal information from multiple browsers, enabling the exfiltration of sensitive data, while also bundling multiple modules to perform ransomware activity,” researchers Zscaler Shatak Jain and Gurkirat Singh said in a recent analysis.
The goal, the researchers note, is to combine data theft with encryption with the aim of causing maximum damage to the victim.
What makes it new is its use of a prominent LinkedIn page to target victims, directing users clicking on a website URL to a bogus landing page asking them to update their web browser by clicking on the appropriate icon (Google Chrome, Microsoft Edge, Mozilla Firefox, or Opera), doing so will result in a malicious download executable.
After a successful breach, the malicious binary is used as a conduit to orchestrate persistence, perform actual browser updates, and also bring down thieves who are able to surreptitiously harvest sensitive information and encrypt stolen files, exposing the victim to potential data loss, exposure, or even sale. their valuable data.
Zscaler says it found suspicious interactions occurring over File Transfer Protocol (FTP) connections, increasing the likelihood that valuable data is being extracted to an actor-controlled infrastructure.
In the final stage, the RedEnergy ransomware component begins encrypting user data, with the “.FACKOFF!” extension to every encrypted file, delete existing backups, and drop a ransom note in every folder.
Victims are expected to make a payment of 0.005 BTC (approximately $151) to the cryptocurrency wallet mentioned in the note to regain access to the files. RedEnergy’s dual function as thief and ransomware represents the evolution of the cybercrime landscape.
Developments also follow appearance from the new RAT-as-a-ransomware threat category where remote access trojans like Venom RAT and RAT Anarchy Panel has been equipped with a ransomware module to lock various file extensions behind encryption barriers.
“It is critical that individuals and organizations exercise caution when accessing websites, especially those linked from LinkedIn profiles,” the researchers said. “Vigilance in verifying the authenticity of browser updates and being alert to unexpected file downloads is critical to protecting against such malicious campaigns.”