RedEnergy: New Stealer-as-a-Ransomware Out in the Wild

A bit on RedEnergy

• The recent detection of RedEnergy stealer-as-a-ransomware represents an advanced threat that combines stealthy data theft and encryption techniques to cause significant damage and seize control over its targets. 
• It employs a deceitful FAKEUPDATES campaign as a tactic to entice victims, persuading them to quickly update their web browsers.
• Once successfully infiltrated, this malicious variant operates covertly to extract sensitive information and subsequently encrypts the compromised files. 
• This sophisticated malware campaign is targeting victims through reputable LinkedIn pages. Notable targets include a Philippines-based industrial machinery manufacturing company and organizations in Brazil.

Modus operandi

• The attackers employ multi-stage techniques, disguising the malware as browser updates to deceive users who click on links from LinkedIn. 
• RedEnergy utilizes obfuscation techniques and communicates via HTTPS for C2 purposes, making it difficult to detect and analyze. It operates through multiple stages, starting with the execution of disguised malicious executables. 
• It establishes persistence, communicates with DNS servers, and downloads additional payloads from remote locations. Suspicious FTP interactions suggest potential data exfiltration and unauthorized file uploads.
• In the final stage, the malware eradicates shadow drive data and Windows backup plans, further solidifying its ransomware characteristics. A batch file and a ransom note are left behind, demanding payment in exchange for file decryption.

The bottom line