Since 2024, a new cybercriminal group has been targeting various companies with sophisticated and evasive techniques. Our Incident Response team has intervened several times to neutralise it, and in this article we provide an analysis of their modus operandi and useful recommendations for defending oneself.
The paradox of morality
The group in question is Interlock, a criminal hacker group born in 2024 that operates through ransomware and double extortion, targets organisations from different sectors, and in Europe has involved some manufacturing companies, denoting that they do not have a specific target but are simply driven by opportunity.
The name of this group derives from International Locker and is distinguished by the high level of sophistication of its attacks and the use of evasive techniques that make its identification and analysis of its modus operandi particularly complex.
They claim to be, in part, driven by a desire to make companies aware of their poor cybersecurity posture, a bit like Jigsaw did in the ‘Saw’ saga with his victims. Once a victim has been compromised, it is published on their data leak site known as ‘Worldwide Secrets Blog’ to increase the pressure on the company involved and push it to pay a ransom.
The initial compromise in some attacks occurs via bogus Google Chrome updates downloaded from legitimate sites that have previously been compromised. In reality, the Chrome update is a remote access tool that starts by retrieving information about the victim host and establishes an initial connection with a C2 server. This is followed by a phase of initial reconnaissance, persistence, lateral movement until the ransomware is executed and ransom demanded.
Supper: unseen backdoor
The most interesting element that has emerged from our investigations is the use of a new backdoor, called Supper, which has never been documented before. From our threat intelligence analysis, it appears that this backdoor was developed in early summer 2024. Some ‘test’ samples were uploaded to public malware analysis platforms in early August, probably to test its effectiveness and evasiveness.
Through reverse engineering of the malware used by Interlock, we discovered that certain portions of Supper‘s code are detected by several antiviruses as potentially belonging to the DEV-0832 group (also known as Vanilla Tempest), a Russian hacker group that has been active for over a decade and specialises in cyber espionage and targeted attacks.
We also identified some similarities and links with SocGholish and FakeUpdate, a malware known for its ability to inject malicious code into websites and download other malware. The latter could lead back to TA Storm-0494, known by intelligence sources to ‘collaborate’ with other criminal groups.
Although several links to the above-mentioned groups have been found, it is still too early to draw conclusions; the attribution part is always the most complex and the risk is to make a mistake.
Curiously, Supper is also detected as Rhysida, a ransomware which appeared in May 2023 and is known for its rapid spread and ability to circumvent security systems. Rhysida, like many other ransomware, operates in RaaS (Ransomware-as-a-Service) mode, offering its malware ‘for rent’ to other cybercriminals.
Inter-band connections?
This finding suggests the hypothesis that individuals with links to DEV-0832, Rhysida and Storm-0494 may be behind Interlock, or that, more likely, cybercriminals move from one group to another based on opportunities and profits, exploiting previously acquired tools and skills.
This ‘fluidity’ between criminal groups is an increasingly common phenomenon in the cyber security landscape, which makes attack attribution and threat prevention even more difficult.
Recommendations
The emergence of Interlock underlines the importance of taking a proactive approach to cyber security with 24-hour monitoring and response systems. It is crucial to keep systems up-to-date, implement multi-layered security solutions and raise awareness of cybercrime risks.
It is equally crucial to prepare for a possible attack by preparing an effective and structured Incident Response plan. This plan must clearly define roles and responsibilities, procedures to be followed and communication channels to be used in the event of an incident.
Analysis by Simone Marinari – Incident Response Lead, CYBEROO
