A recent investigation conducted by Trend Micro reveals that threat groups associated with RedLine and Vidar have adopted similar tactics for deploying ransomware as they use for disseminating info-stealing malware.
In a specific instance, victims initially encountered a malware strain designed for data theft, which was signed with Extended Validation (EV) code signing certificates. However, over time, they also fell victim to ransomware attacks through the same delivery method.
Further examination during the period between July and August uncovered more than 30 samples signed with EV code certificates, all associated with the info-stealing malware TrojanSpy.Win32.VIDAR.SMA. Each of these samples exhibited unique characteristics, complicating their detection.
Regarding the attribution to RedLine and Vidar, researchers suspect that the individual responsible for signing these EV certificates likely possesses either physical access to the security token or has control over the computer linked to it.
Initially, victims received info-stealing malware through various campaigns starting around July 10. Subsequently, on August 9, they experienced a ransomware assault. This ransomware was deployed after the victims unwittingly downloaded and opened a fraudulent email attachment masquerading as a complaint from TripAdvisor.
Tactics, Techniques, and Procedures (TTPs) employed by RedLine and Vidar operators include:
- Crafting spear-phishing emails with compelling language, urging recipients to take immediate action, often relating to health or hotel-related matters.
- Utilizing double file extensions to deceive users, such as making files appear as PDFs or JPEGs when, in fact, they are executable (EXE) files triggering the infection upon opening.
- Deploying LNK files containing instructions to execute the malicious file, thereby evading detection.