HQ/EMEAFind out how we can help your business
The malicious entity known as EncryptHub has been linked to Windows zero-day campaigns that utilise a now-patched Microsoft Management Console vulnerability.
Researchers discovered this security feature bypasses how MSC files are handled on affected systems. Threat actors can use the flaw to avoid Windows file reputation controls and execute code since users are not notified before loading unusual MSC files on unpatched devices.
In an email attack instance, an attacker may exploit the vulnerability by sending a specially generated file to the user and prompting them to open it. On the other hand, in a web-based attack scenario, an attacker may create a website or use a hacked website that accepts or hosts user-provided content with a specially designed file meant to exploit the vulnerability.
EncryptHub had already taken advantage of the flaw before Microsoft knew about the exploit.
According to investigations, EncryptHub leveraged the zero-day flaws to execute malicious malware and steal data from infected devices before the researchers revealed them to Microsoft.
Throughout the campaign, the threat actor has used various malicious payloads associated with earlier EncryptHub attacks. These malware strains include the EncryptHub stealer, SilentPrism backdoor, Stealc, Rhadamanthys stealer, DarkWisp backdoor, and the MSC EvilTwin trojan loader.
In this attack, the threat actor uses.msc files and the Multilingual User Interface Path (MUIPath) to download and run malicious payloads, establish persistence, and harvest sensitive data from infected devices.
Still, this campaign is under active development. It uses a variety of delivery techniques and unique payloads to acquire persistence and harvest sensitive data, which is subsequently exfiltrated to an attacker-controlled C2 server.
Furthermore, while analysing these attacks, the researchers discovered an early variant of this tactic in an April 2024 campaign. Separate research has also previously linked EncryptHub to breaches in at least 618 organisations globally due to spear-phishing and social engineering attempts.
EncryptHub, a RansomHub and BlackSuit ransomware operations associate, also uses ransomware payloads to encrypt victims’ folders after collecting sensitive data. Therefore, its arsenal may have sophisticated tools and tactics that can soon appear in more cybercriminal events.
