Hackers have adopted the new technique called ‘FileFix’ in Interlock ransomware attacks to drop a remote access trojan (RAT) on targeted systems.

Interlock ransomware operations have increased over the past months as the threat actor started using the KongTuke web injector (aka ‘LandUpdate808’) to deliver payloads through compromised websites.

This shift in modus operandi was observed by researchers at The DFIR Report and Proofpoint since May. Back then, visitors of compromised sites were prompted to pass a fake CAPTCHA + verification, and then paste into a Run dialog content automatically saved to the clipboard, a tactic consistent with ClickFix attacks.

The trick led users to execute a PowerShell script that fetched and launched a Node.js-based variant of the Interlock RAT.

In June, researchers found a PHP-based variant of Interlock RAT used in the wild, which was delivered using the same KongTuke injector.

Earlier this month, a significant change in the delivery wrapper occurred, with Interlock now switching to the FileFix variation of the ClickFix method as the preferred delivery method.

FileFix is a social engineering attack technique developed by security researcher mr.d0x. It’s an evolution of the ClickFix attack, which became one of the most widely employed payload distribution methods over the past year.

In the FileFix variation, the attacker weaponizes trusted Windows UI elements, such as File Explorer and HTML Applications (.HTA), to trick users into executing malicious PowerShell or JavaScript code without displaying any security warnings.

Users are prompted to “open a file” by pasting a copied string into File Explorer’s address bar. The string is a PowerShell command disguised to look like a file path using comment syntax.

In the recent Interlock attacks, targets are asked to paste a command disguised with a fake file path onto File Explorer, leading to the downloading of the PHP RAT from ‘trycloudflare.com’ and its execution on the system.

Post-infection, the RAT executes a series of PowerShell commands to gather system and network information and exfiltrates this data as structured JSON to the attacker.

The DFIR Report also mentions evidence of interactive activity, including Active Directory enumeration, checking for backups, navigating local directories, and examining domain controllers.

The command and control (C2) server can send shell commands for the RAT to execute, introduce new payloads, add persistence via a Registry run key, or move laterally via remote desktop (RDP).

Interlock ransomware launched in September 2024, claiming notable victims like the Texas Tech University, DaVita, and Kettering Health.

The ransomware operation leveraged ClickFix to infect targets, but its pivoting to FileFix indicates that the attacker is quick to adapt to stealthier attack methods.

This is the first public confirmation of FileFix being used in actual cyberattacks. It is likely to gain more popularity as threat actors explore ways to incorporate it into their attack chains.