HQ/EMEAFind out how we can help your business
EncryptHub, a notorious threat group, has been targeting various organisations globally using spear-phishing and social engineering tactics to obtain network access.
Initial reports stated that this threat actor has already penetrated at least 618 businesses since its first operation in June last year. After acquiring access, the threat actor installs Remote Monitoring and Management (RMM) software and deploys information stealers.
For now, the confirmed infostealer used by the attackers is Stealc and Rhadamanthys. In some instances, this attacker installs ransomware on compromised devices.
The researchers claimed that this threat group is linked to RansomHub and BlackSuit, which have previously distributed both ransomware encryptors and possibly function as initial access brokers or direct affiliates.
However, in most cases, the threat actors used a proprietary PowerShell data encryptor, indicating that they also maintain their variation.
The EncryptHub threat group is also known as Larva-208.
According to investigations, the EncryptHub group’s (aka Larva-208) cybercriminal operation includes SMS phishing, voice phishing, and phoney login pages that imitate business VPN products.
In their emails to targets, attackers generally impersonate IT assistance, alleging an issue with VPN access or a security risk with their accounts. This strategy allows them to redirect targets to a phishing site.
Hence, victims who land on the malicious URLs’ page can have their credentials and multi-factor authentication (MFA) tokens (session cookies) stolen in real-time.
At the end of the phishing process, the victim is forwarded to the service’s actual URL to prevent suspicion.
Furthermore, EncryptHub purchased over 70 domains replicating legitimate products to boost the perceived authenticity of the phishing pages. The phishing sites are also stored on impregnable hosting companies such as Yalishanda, which the researchers claim does not typically respond to legitimate takedown requests.
Separate research has also uncovered another subgroup, Larva-148, which assists with purchasing domains used in phishing campaigns, hosting management, and infrastructure setup.
Larva-148 could have sold domains and phishing kits to EncryptHub, but the specific relationship has yet to be determined.
Organisations should train their employees to spot these phishing attempts to prevent or mitigate the chances of infection from this group. Lastly, the public should avoid accessing unknown links attached to emails, as cybercriminals commonly use them to initiate their attacks.
