RedEnergy infostealer attacks Brazilian and Philippine companies

Cybersecurity experts have discovered a new threat that targets energy, telecommunications and engineering companies in Brazil and the Philippines. RedEnergy ransomware spreads through fake pages LinkedIn and can both encrypt victims’ data and steal them.

According to researchers from the company Zscalerthe virus has the ability to steal information from various browsers, acting like a classic infostealer. In addition, the malware includes various modules for extortion. The main goal of criminals is to effectively combine data theft with encryption in order to inflict maximum damage on their victims.

The multi-stage attack begins with a “FakeUpdates” (also known as SocGholish) campaign that tricks users into downloading malware based on JavaScript under the guise of browser updates.

The changes in the campaign reviewed by experts are to use real LinkedIn pages to attract victims. Those who click on the phishing URL are redirected to a fake page offering to update their browser by clicking on the appropriate icon (Google Chrome, Microsoft Edge, Mozilla Firefox or Opera). In this case, of course, a malicious executable file is downloaded.

After downloading and running the malware, it establishes its persistence on the system and downloads the aforementioned RedEnergy, which is capable of secretly collecting, uploading and encrypting victims’ files, exposing them to the risk of potential loss, disclosure or even sale.

Zscaler researchers reported that they found suspicious protocol interactions in the reviewed campaign. FTPwhich indicates that it is it that is used to send data to intruders.

During the encryption process, the malware adds a funny “.FACKOFF!” to each file, deleting existing backups and leaving a ransom note in each folder. Victims are asked to pay 0.005 BTC (about 150 dollars or 13,500 rubles) to the cryptocurrency wallet indicated in the ransomware note in order to regain access to their files.

The small size of the ransom suggests that hackers want to increase their chances of getting it, as well as capture ordinary home computer users at the same time. And the dual purpose of RedEnergy as an information thief and a ransomware ransomware shows a certain evolution of the cybercriminal landscape.

Zscaler experts advise individuals and businesses alike to exercise extreme vigilance and caution when accessing websites, especially those linked to LinkedIn profiles. As well as paying attention to unexpected file downloads that users themselves did not initiate.