ET MALWARE JavaScript Loader Associated With Interlock Ransomware

Interlock ransomware linked loader (executes via node.exe downloaded nodeJS too instead of wscript) mentioned in Sekoia report. PCAP here  57eed5ac287a103b43007d27312fbdc6e70fe32b3e3dc3286847fdcf86330d33 | Triage. Looks to use various URLs, IPs and trycloudflare for this but appears to use HTTP for communication even to cloudflare rather than HTTPS (although no reason it couldn’t).

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET MALWARE JavaScript Loader Associated With Interlock Ransomware”; flow:established,to_server; content:“POST”; http_method; urilen:9; content:“/init1234”; http_uri; fast_pattern:only; content:!"User-Agent|3A|; http_header; content:!"Referer|3A|; http_header; content:“Content-Type|3A| application/octet-stream”; http_header; classtype:trojan-activity; reference:url,Interlock ransomware evolving under the radar - Sekoia.io Blog; sid:149050; rev:1;)

1 Like

Hey @kevross33 - It looks like we got a sig out last week that will detect the CnC traffic in this blog.

As always thanks for the submission and taking the time to share intel! Here’s the sid if you’re curious:

ET MALWARE Interlock Ransomware Fake Updater CnC Callback - 2062145

Thanks!
Isaac

1 Like