LeakNet Ransomware: A Recent Era of Stealthy Attacks with ClickFix and Deno
The ransomware landscape is constantly evolving, and a recent surge in activity from the LeakNet group highlights a worrying trend: increasingly sophisticated evasion techniques. LeakNet is now leveraging the “ClickFix” social engineering tactic to gain initial access to corporate networks, coupled with a malware loader built on the open-source Deno runtime. This combination allows for stealthy execution and minimizes the chances of detection, marking a significant escalation in their operational capabilities.
ClickFix: The Social Engineering Gateway
ClickFix isn’t new, but its growing popularity among ransomware groups like Termite and Interlock is alarming. This technique relies on tricking users into manually running malicious commands, often disguised as error prompts. It exploits the human tendency to resolve technical issues quickly, bypassing traditional security measures. The recent adoption of ClickFix by LeakNet signals a shift away from relying solely on stolen credentials obtained through initial access brokers (IABs) and towards more direct, self-directed campaigns.
Source: ReliaQuest
Deno: The “Bring Your Own Runtime” Advantage
What sets LeakNet apart is its innovative use of Deno, a JavaScript/TypeScript runtime. ReliaQuest has termed this approach a “bring your own runtime” (BYOR) attack. Deno is a legitimate, signed executable, meaning it often bypasses security filters and blocklists designed to prevent the execution of unknown binaries. Instead of deploying a custom, potentially flagged malware loader, LeakNet installs the legitimate Deno executable and then uses it to run malicious code directly in system memory.
This in-memory execution is crucial. It drastically reduces the forensic footprint, making it harder for security teams to detect and analyze the attack. The activity can easily be mistaken for legitimate developer tasks, further obscuring malicious intent.
How LeakNet Operates: From Initial Access to Data Exfiltration
Once inside a network, LeakNet follows a consistent post-exploitation chain. This predictability, while concerning, also presents opportunities for defenders. The process includes:
- DLL sideloading (specifically, jli.dll loaded via Java in C:ProgramDataUSOShared)
- Command-and-control (C2) beaconing
- Credential discovery using ‘klist’ enumeration
- Lateral movement via PsExec
- Payload staging and data exfiltration, often utilizing Amazon S3 buckets
The Deno-based loader fingerprints the compromised host, generates a unique victim ID, and establishes a connection to the C2 server to download the second-stage payload. It also maintains a persistent polling loop, awaiting further instructions.
The Scaling Threat: LeakNet’s Growth and Future Implications
Currently, LeakNet averages around three victims per month, but the adoption of ClickFix and Deno suggests a potential for rapid scaling. The group’s ability to adapt and invest in its own infrastructure and evasion capabilities is a significant concern. This trend points towards a broader shift in the ransomware landscape, where attackers are increasingly prioritizing stealth and self-reliance.
Pro Tip:
Regularly audit your systems for unexpected Deno installations, especially outside of development environments. This could be an early indicator of LeakNet activity.
Detecting and Defending Against LeakNet
Defenders can leverage several indicators to identify potential LeakNet activity:
- Deno running outside of legitimate development environments
- Suspicious ‘misexec’ execution originating from web browsers
- Abnormal usage of PsExec
- Unexpected outbound traffic to Amazon S3
- DLL sideloading occurring in unusual directories
Blocking newly registered domains, restricting Win-R access, and limiting PsExec to authorized administrators are also crucial preventative measures.
FAQ: LeakNet and the New Attack Vectors
- What is ClickFix? A social engineering technique that tricks users into running malicious commands through fake error prompts.
- What is Deno and why is it being used by LeakNet? Deno is a legitimate JavaScript/TypeScript runtime that allows attackers to execute malicious code in memory, bypassing traditional security measures.
- How can I protect my organization from LeakNet? Implement strong security awareness training, monitor for suspicious activity, and restrict access to critical system tools.
- Is LeakNet a new ransomware group? LeakNet has been active since the end of 2024, but is evolving its tactics and potentially scaling its operations.
Staying informed about emerging threats like LeakNet is paramount. Continuous monitoring, proactive threat hunting, and a layered security approach are essential to mitigating the risk of these increasingly sophisticated attacks.
