The innovative cybersecurity group, Zscaler ThreatLabz, recently discovered a new malware variant—RedEnergy Stealer—that redefines ransomware threats by adopting a dual role as a data stealer and ransomware. This groundbreaking discovery signals a significant shift in the landscape of cybersecurity threats.
Targeting a diverse range of industries—including energy utilities, oil, gas, telecom, and machinery—RedEnergy executes a phony update campaign, allowing it to infiltrate various browsers. It can thus stealthily extract sensitive data and perform ransomware activities simultaneously. The term RedEnergy Stealer was derived from common method names noticed during the analysis.
For a more in-depth technical analysis of this new malware and its stealer and ransomware characteristics, readers are advised to refer to the original Zscaler report.
ThreatLabz earlier introduced the unique threat category of RAT-as-a-Ransomware in April 2023 at the cybersecurity event, Botconf. Following similar hybrid methods, researchers have now discovered the Stealer-as-a-Ransomware category with RedEnergy. This malware silently steals data and encrypts files, causing severe damage to victims.
The RedEnergy Stealer employs a FAKEUPDATES campaign to trap victims into updating their browsers, subsequently infiltrating their systems, stealing valuable information, and encrypting files. This advanced threat raises concerns of data loss, exposure, or even unauthorized data sales.
Some critical findings from the ThreatLabz investigation include:
- RedEnergy Stealer’s Discovery: ThreatLabz research has brought to light a sophisticated malware campaign. This campaign uses reputable LinkedIn pages of industries to target victims, including the Philippines Industrial Machinery Manufacturing Company and several organizations in Brazil. Users who click to visit the compromised company’s website from LinkedIn are lured into the multi-stage attack.
- Stealer-as-a-Ransomware: The analyzed malware combines both stealing and ransomware capabilities, indicating an alarming evolution in ransomware attacks. This malicious software utilizes obfuscation techniques and HTTPS for command and control communication, making it particularly hard to detect and analyze.
- Multi-Stage Execution: The malware operates in several stages. It initiates with executing disguised malicious executables, establishes persistence, communicates with DNS servers, and downloads additional payloads from remote sites.
- Ransomware Functionality: The malware incorporates ransomware modules that encrypt user data, leaving it inaccessible until a ransom is paid. It also modifies the desktop.ini file to dodge detection and alter file system folder display settings.
- Deletion of Shadow Drive Data: The malware, in its final stage, deletes shadow drive data and Windows backup plans, which aligns with its ransomware characteristics.
The discovery of RedEnergy Stealer and understanding its operations can help organizations bolster their security stance, ensuring effective protection against this new-age malware and similar threats. To fully grasp the technical nuances of RedEnergy Stealer, read the original article on Zscaler.
Source: Zscaler
