Full Report
The financially motivated threat actor known as EncryptHub has been observed orchestrating sophisticated phishing campaigns to deploy information stealers and ransomware, while also working on a new product called EncryptRAT. "EncryptHub has been observed targeting users of popular applications, by distributing trojanized versions," Outpost24 KrakenLabs said in a new report shared with The
Analysis Summary
# Threat Actor: EncryptHub
## Attribution & Identity
- **Primary Name:** EncryptHub
- **Aliases/Tracking IDs:** LARVA-208 (tracked by PRODAFT)
- **Affiliations:** Assessed to be affiliated with RansomHub and Blacksuit ransomware groups.
## Activity Summary
EncryptHub is a financially motivated threat actor observed orchestrating sophisticated, multi-stage phishing campaigns since at least the end of June 2024. Their activities focus on initial access through social engineering and trojanized applications, leading to the deployment of information stealers and ultimately ransomware. They are actively developing a new command-and-control product named **EncryptRAT**. The actor has been noted for making operational security errors.
## Tactics, Techniques & Procedures
- **Initial Access:**
- Sophisticated social engineering involving **vishing** (voice phishing) and **smishing** (SMS phishing).
- Creating convincing phishing sites designed to mimic target organizations to harvest VPN credentials.
- Using fake Microsoft Teams links via SMS/text messages.
- Distributing **trojanized versions** of popular legitimate applications (e.g., QQ Talk, WeChat, Microsoft Visual Studio 2022, Palo Alto Global Protect) for initial access.
- Purchasing bulk malware installs via third-party **Pay-Per-Install (PPI) distribution services** like LabInstalls.
- **Execution/Persistence:**
- Running **PowerShell scripts** post-initial access.
- **Defense Evasion:** Incorporating exploits for popular security flaws into attack campaigns.
- **Command and Control:** Developing **EncryptRAT** to manage infections, issue remote commands, and access stolen data.
- *No specific MITRE ATT&CK IDs were mentioned in the source article.*
## Targeting
- **Sectors:** Multiple industries (high-value targets across various sectors mentioned).
- **Geography:** Not explicitly detailed, but likely global given tool usage and social engineering breadth.
- **Victims:** High-value targets; victims whose VPN credentials are sought.
## Tools & Infrastructure
- **Malware Families Used:**
- Information Stealers: Fickle, StealC, Rhadamanthys.
- Next-Stage Payloads: Kematian Stealer (used for cookie theft).
- Custom C2 Tool: EncryptRAT (under development).
- **Infrastructure:**
- Hosting services: Bulletproof providers like **Yalishand**.
- Distribution Service: **LabInstalls** (a PPI service used on the Russian-speaking underground forum XSS).
## Implications
EncryptHub represents a rapidly evolving financial threat actor moving towards commercializing their tools (EncryptRAT). Their use of established PPI services combined with advanced social engineering (vishing/smishing) and the deployment of multiple well-known stealers indicates a refined, multi-stage infection chain aimed at maximizing data exfiltration before executing ransomware.
## Mitigations
- Implement multi-layered security strategies.
- Remain vigilant against sophisticated social engineering tactics like vishing and smishing focused on credential harvesting (especially VPN).
- Scrutinize software installation requests and sources, particularly for trojanized versions of common collaboration and security software (VPN clients, meeting apps).
- Deploy behavioral monitoring tools capable of detecting suspicious PowerShell execution following application installation.