Interlock Ransomware Group Deploys New PHP-Based RAT via FileFix in Multi-Industry Campaign

The Interlock ransomware group has been observed deploying a new PHP-based Remote Access Trojan (RAT) through a delivery method known as FileFix, a variant of ClickFix. This campaign, identified by researchers from DFIR Report in collaboration with Proofpoint, targets multiple industries, indicating a broad and potentially high-impact threat landscape. The use of a PHP-based RAT is notable, as PHP is typically associated with web development rather than malware. This suggests that the attackers may be targeting web servers or leveraging PHP's ubiquity in web environments to evade detection. FileFix, as a delivery mechanism, likely involves malicious files or links designed to exploit user interaction, such as phishing emails. The technical implications of this campaign include the need for enhanced monitoring of PHP scripts and web server activities, as well as robust employee training to prevent initial infections. The evolution of delivery methods like FileFix highlights the continuous adaptation of cybercriminal tactics to bypass traditional security measures. Organizations should ensure that their incident response plans are up-to-date, with a focus on regular backups and isolation procedures to mitigate the impact of potential ransomware attacks. The involvement of multiple industries in this campaign underscores the importance of cross-sector collaboration in cybersecurity defense strategies.