Full Report
The LeakNet ransomware gang is now using the ClickFix technique for initial access into corporate environments and deploys a malware loader based on the open-source Deno runtime for JavaScript and TypeScript. [...]
Analysis Summary
# Threat Actor: LeakNet
## Attribution & Identity
- **Actor Name:** LeakNet
- **Aliases:** N/A
- **Associations:** Uses the "ClickFix" social engineering technique, which is also utilized by other ransomware groups such as **Termite** and **Interlock**.
- **Identity:** A relatively new ransomware-as-a-service (or gang) active since late 2024.
## Activity Summary
LeakNet has been observed evolving its initial access vectors and payload delivery mechanisms. Recently, the group has shifted to using "ClickFix" lures to compromise corporate environments. They are specifically noted for employing a "Bring Your Own Runtime" (BYOR) tactic, using the legitimate **Deno** runtime to execute malicious JavaScript/TypeScript payloads in-memory to evade detection. The group currently maintains a steady operational tempo of approximately three victims per month.
## Tactics, Techniques & Procedures
- **Social Engineering (ClickFix):** Tricking users into running malicious commands via fake browser/software update prompts.
- **Bring Your Own Runtime (BYOR):** Deploying the legitimate, signed `deno.exe` binary to execute malicious code, bypassing binary blocklists.
- **In-Memory Execution:** Executing JavaScript payloads directly in system memory to minimize disk artifacts.
- **Scripting:** Use of Visual Basic Scripts (VBS) and PowerShell scripts for initial execution (e.g., `Romeo*.ps1` and `Juliet*.vbs`).
- **DLL Side-Loading:** Loading malicious `jli.dll` via a legitimate Java executable in `C:\ProgramData\USOShared`.
- **Credential Access:** Using `klist` for Kerberos ticket/credential enumeration.
- **Lateral Movement:** Utilizing `PsExec` for movement across the network.
- **Data Exfiltration:** Abusing legitimate cloud storage (Amazon S3 buckets) for staging and exfiltrating stolen data.
**MITRE ATT&CK IDs (Inferred from TTPs):**
- **T1566.002:** Phishing: Spearphishing Link (ClickFix)
- **T1059:** Command and Scripting Interpreter
- **T1574.002:** Hijack Execution Flow: DLL Side-Loading
- **T1558:** Steal or Forge Secret Tickets (klist)
- **T1021.002:** Remote Services: SMB/Windows Admin Shares (PsExec)
- **T1567.002:** Exfiltration Over Web Service: Exfiltration to Cloud Storage
## Targeting
- **Sectors:** Corporate environments (General).
- **Geography:** Not specifically mentioned, but implies global reach typical of ransomware gangs.
- **Victims:** Averages 3 victims per month; specific organization names were not disclosed in the report.
## Tools & Infrastructure
- **Malware:** Deno-based loader, custom JavaScript/TypeScript payloads, `jli.dll` (side-loading).
- **Utilities:** `deno.exe`, `klist.exe`, `PsExec`, PowerShell, VBScript.
- **Infrastructure:**
- Amazon S3 buckets (Exfiltration)
- Command & Control (C2) servers (used for second-stage delivery and persistent polling).
- Defanged Directory Examples: `C:\ProgramData\USOShared`
## Implications
LeakNet represents a sophisticated shift toward stealthier, fileless execution by leveraging legitimate developer tools (Deno). By using signed binaries and in-memory execution, they significantly lower the efficacy of traditional EDR/Antivirus solutions that rely on file-based scanning. Their move toward repeatable, automated attack chains suggests an intent to scale their operations beyond their current victim rate.
## Mitigations
- **Runtime Monitoring:** Monitor or block the execution of `deno.exe` or other JavaScript runtimes (Node.js, Deno) on non-developer workstations.
- **Behavioral Analysis:** Alert on `msiexec.exe` or PowerShell processes spawned directly from web browser processes.
- **Process Auditing:** Monitor for anomalous use of `PsExec` and `klist` by non-administrative users.
- **Directory Protection:** Implement monitoring for new DLLs appearing in legitimate system folders like `C:\ProgramData\USOShared`.
- **Egress Filtering:** Restrict or monitor outbound traffic to Amazon S3 buckets from unauthorized endpoints.
- **User Training:** Educate employees to recognize "ClickFix" style social engineering lures that prompt the manual entry of PowerShell commands.