A threat actor tracked as 'EncryptHub,' aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks. Once EncryptHub breaches a targeted system, it deploys various PowerShell scripts and malware to gain persistence, remote access, steal data, and encrypt files. Prodaft says EncryptHub is a sophisticated threat actor that tailors its attacks for better effectiveness, achieving high-value breaches on large organizations. Larva-208's attacks involve SMS phishing, voice phishing, and fake login pages that mimic corporate VPN products like Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet, and Microsoft 365. Prodaft told BleepingComputer that the threat group is affiliated with RansomHub and BlackSuit, having deployed both ransomware encryptors in the past and possibly acting as an initial access broker for them or a direct affiliate. According to a report by Prodaft, which was published internally last week and made public yesterday, since June 2024, when EncryptHub initiated operations, it has compromised at least 618 organizations. However, in many attacks the researchers observed, the threat actors deployed a custom PowerShell data encryptor, so they maintain their own variant too. EncryptHub has bought over 70 domains that mimic the said products, such as 'linkwebcisco.com' and 'weblinkteams.com,' to increase the perceived legitimacy of the phishing pages. Larva-208's final threat is ransomware in the form of a custom PowerShell-based encryptor that encrypts files using AES and appends the ".crypted" extension, deleting original files. After gaining access, the threat actors install Remote Monitoring and Management (RMM) software, followed by the deployment of information stealers like Stealc and Rhadamanthys. Prodaft has also discovered there's another subgroup tracked as Larva-148, which helps purchase the domains used in the phishing campaigns, manage hosting, and set up the infrastructure. It's possible that Larva-148 sells domains and phishing kits to EncryptHub, though their exact relationship hasn't been deciphered yet. Victims receive links that redirect them to phishing login pages where their credentials and multi-factor authentication (MFA) tokens (session cookies) are captured in real-time. "The LARVA-208 spear-phishing actor examined in this report exemplifies the increasing sophistication of targeted cyber attacks," warns Prodaft. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The phishing sites are hosted on bulletproof hosting providers like Yalishanda, which ProDaft says does not typically respond to justified takedown requests. The attackers typically impersonate IT support in their messages to the targets, claiming an issue with VPN access or a security concern with their account, directing them to log in on a phishing site.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 26 Feb 2025 15:35:17 +0000