Full Report
Hackers have adopted the new technique called 'FileFix' in Interlock ransomware attacks to drop a remote access trojan (RAT) on targeted systems. [...]
Analysis Summary
# Tool/Technique: FileFix Delivery Method
## Overview
FileFix is an evasion or delivery technique being adopted by the Interlock ransomware group, succeeding their previous use of the 'ClickFix' method. The primary purpose of adopting FileFix is to serve as a stealthier mechanism for delivering malware payloads, replacing older methods.
## Technical Details
- Type: Technique (Delivery/Evasion Method)
- Platform: Not explicitly stated, but Interlock targets FreeBSD servers, implying Linux/UNIX environments are relevant, possibly extending to Windows for overall operation.
- Capabilities: Facilitates the stealthy delivery and execution of malware, specifically ransomware payloads.
- First Seen: First public confirmation of this technique being used in actual cyberattacks, adopted by Interlock ransomware (launched Sept 2024).
## MITRE ATT&CK Mapping
*Note: Since FileFix is described as a delivery mechanism, the mapping focuses on the initial access or execution related to implanting the main payload.*
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If delivered via a malicious file masquerading as a legitimate tool)
- T1204 - User Execution
- T1204.002 - Malicious File
## Functionality
### Core Capabilities
- Serving as a method to deliver the Interlock ransomware payload.
- Replacing the previously used 'ClickFix' delivery method, indicating an adaptation toward stealthier initial access chains.
### Advanced Features
- The technique is noted for being stealthier than previous methods used by the threat actor.
- Its adoption suggests an exploration to bypass existing security controls that may have detected the use of 'ClickFix'.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text; likely involves files associated with the "FileFix" tool/process]
- Registry Keys: [Not provided in the text]
- Network Indicators: [Not provided in the text]
- Behavioral Indicators: [Executing processes related to the FileFix mechanism prior to ransomware deployment]
## Associated Threat Actors
- Interlock Ransomware group
## Detection Methods
- [Detection methods are not explicitly detailed, but behavior analysis focused on anomalous execution sequences replacing 'ClickFix' would be relevant.]
- [Signature-based detection would rely on signatures developed for the specific FileFix binaries/scripts utilized.]
- [YARA rules if available]
## Mitigation Strategies
- Monitoring for the deployment artifacts associated with the FileFix technique.
- Thorough vetting and scanning of any software identified as "IT tools" or "fixes" delivered to the network, especially those replacing known malicious delivery methods.
- Restricting execution rights where possible to prevent novel delivery chains from succeeding.
## Related Tools/Techniques
- ClickFix (The previously used delivery method adopted by Interlock)
- Interlock Ransomware (The payload delivered)