Operators of the Vidar and RedLine information-stealing malware strains have begun delivering ransomware payloads through tactics initially leveraged for infostealer distribution, suggesting a streamlining of attackers' operations, reports The Hacker News.
After sending phishing emails containing infostealer malware with Extended Validation code signing certificates to an unspecified victim in July, threat actors proceeded to deliver a fraudulent TripAdvisor complaint attachment that prompted ransomware deployment, according to a report from Trend Micro.
Researchers noted that no EV certificates were found in the files used in dropping the ransomware.
"However, the two originate from the same threat actor and are spread using the same delivery method. We can therefore assume a division of labor between the payload provider and the operators," said researchers.
The findings follow an IBM X-Force study showing the utilization of an updated DBatLoader malware loader in new phishing attacks distributing Warzone RAT and Agent Tesla malware since June.
BleepingComputer reports that Knight ransomware was observed by KELA threat analysts to have the third iteration of its source code posted for sale by the operation's representative, Cyclops, on RAMP forums.