Analytics Story: Interlock Rat
Description
This detection identifies behavioral indicators consistent with the Interlock RAT (Remote Access Trojan) malware family. Interlock RAT is a stealthy and modular backdoor primarily used for unauthorized remote control, data exfiltration, and system reconnaissance. The malware typically arrives via phishing campaigns or is dropped by other malware strains. Upon execution, it establishes persistence, connects to a command-and-control (C2) server, and allows attackers full access to the compromised system.
Why it matters
Interlock RAT is a relatively new entrant in the malware ecosystem, first observed in mid-to-late 2024. Interlock RAT distinguishes itself with a lightweight binary, encrypted communications, and a plugin-based architecture that allows attackers to load new capabilities post-compromise. Interlock employs a multi-stage attack chain, starting by compromising legitimate websites that deliver fake browser updates, such as Google Chrome or MS Edge installers. These fake installers execute a PowerShell backdoor facilitating the execution of multiple tools, and ultimately leading to the ransomware payload delivery.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 11 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 17 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 18 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
References
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a
- https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/
Source: GitHub | Version: 1