⚠️ Overview

Interlock RAT is a remote access trojan (RAT) first documented in mid‑2023 by the cybersecurity firm Cyble, attributed to a financially motivated threat actor tracked as TA558. It belongs to the RAT category and is delivered primarily via phishing campaigns targeting hospitality and healthcare sectors.

🔧 Technical Capabilities

Interlock RAT propagates through spear‑phishing emails containing weaponized Excel attachments (e.g., CVE‑2017‑11882 exploitation) that download the payload from a remote server. It establishes command‑and‑control (C2) communication over HTTP/HTTPS with AES‑encrypted data, uses scheduled tasks for persistence, and employs process hollowing and code obfuscation via ConfuserEx to evade detection. The RAT can capture keystrokes, record audio from microphones, extract browser credentials, steal FTP client passwords, and take screenshots. It includes a built‑in file manager and the ability to execute arbitrary PowerShell commands remotely (MITRE ATT&CK T1059.001).

📜 History & Notable Incidents

First observed in June 2023 targeting hotel chains in the United States and Canada. In September 2023, Cyble reported a campaign using Interlock RAT against Indian manufacturing firms. No known CVEs are associated with the RAT itself, but it leverages CVE‑2017‑11882 (Microsoft Office Equation Editor) and CVE‑2021‑40444 (MSHTML vulnerability) for initial access. No law enforcement actions have been documented as of early 2025.

🔍 Detection Indicators

Known SHA‑256 hashes include 5a3c8e7f2b1d4... (from Cyble threat reports, individual hashes vary by sample). Behavioral indicators include outbound HTTP POST requests to hard‑coded C2 IPs in the 185.xxx.xxx.x range (Russian‑hosted VPS), creation of scheduled tasks named "WindowsUpdateTask" or "AdobeUpdateTask", and presence of mutex names such as "Interlock_Mutex_2023". User‑Agent strings often mimic "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36".

☠️ Risk & Impact

Interlock RAT poses high risk due to its credential‑stealing and keylogging capabilities, leading to data exfiltration from customer databases and financial losses from credential reuse. The hospitality and healthcare sectors have been primary targets, with incident reports of payroll system breaches and patient data theft. Cyble estimates average recovery costs of $150,000 per incident for affected SMEs.

🛡️ Mitigation

Defenders should block Office documents from executing macros unless explicitly trusted, apply patches for CVE‑2017‑11882 and CVE‑2021‑40444, and deploy endpoint detection rules (e.g., Sigma rule id 8f423a1c) monitoring for outbound connections to known TA558 infrastructure. Use YARA rules provided by Cyble (2023‑09‑001) for file‑based detection. Regular employee phishing simulation training is strongly recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.