Distribution of Knight ransomware concealed in phony TripAdvisor complaint emails

Deceptive TripAdvisor complaints conceal malicious Knight ransomware

TripAdvisor was used by cybercriminals in a ransomware-spreading campaign

A more recent iteration of the Cyclop malware-as-a-Service is the raising threat in the digital world known as The Knight ransomware. The cybercriminals' deliberate rebranding took place toward the end of July 2023, indicating their intention to reevaluate their destructive operations. In May 2023, Cyclops RaaS first appeared as operators started looking for affiliates for this newly created ransomware-as-a-service on the infamous RAMP hacking forum.

According to reports from the cybersecurity company Uptycs,^[1] the Cyclops operation introduced encryption tools specifically designed for the Windows, macOS, and Linux/ESXi platforms. The supply of information-stealing software for Windows and Linux, a break from the norm in RaaS operations, was one exceptional aspect of this operation. A 'light' version of encryptors was also introduced at the same time as this variant, specifically designed for spam campaigns that target large numbers of users. This type, in contrast to usual methods, had a set ransom price and avoided talks with victims.

A Trojan horse for ransomware

Recent discoveries by cybersecurity professionals have shown a worrying trend: a spam campaign disguising the Knight ransomware as TripAdvisor complaints. This scam, which involved misleading emails with ZIP file attachments posing as “TripAdvisorComplaint.zip,” was discovered by security researcher Felix from Sophos.^[2] The included software, 'TripAdvisor Complaint – Possible Suspension.exe,' was actually a delivery mechanism for the sneaky ransomware.

The campaign's later versions included an HTML attachment called “TripAdvisor-Complaint-[random].PDF.htm,”.^[3] This HTML document used phishing to create a fake browser window that looked like TripAdvisor's user interface. Once the ransomware was activated, the users were lured into engaging with the content by the pretense, which was later revealed to be a smokescreen.

Unmasking the attack

The HTML attachment uses a clever phishing method called Mr.D0x's Browser-in-the-Browser^[4] when it is triggered. This appears to be a real browser window and displays what appears to be a restaurant complaint form. However, beneath the surface, there is a dark underbelly. The file “TripAdvisor_Complaint-Possible-Suspension.xll,” which is an Excel XLL file created with Excel-DNA to incorporate .NET into Microsoft Excel, is attached.

The Mark of the Web (MoTW), which Microsoft implemented to prohibit the unrestricted execution of potentially harmful files acquired from the internet, is a significant security measure. If the .NET add-in is found, Excel will disable it, preventing the malware's installation. Enabling the add-in will, however, start the injection of the Knight Lite ransomware encryptor into a new explorer.exe process when the MoTW flag isn't present, which will start the encryption of data.

Cryptic ransom dynamics

As the ransomware spreads, it terminates encrypted file names with the '.knight_l' ending to indicate its 'light' nature. It also leaves a ransom note called “How To Restore Your Files.txt” in each of the compromised folders, asking $5,000 in Bitcoin as ransom. Strangely, the identical Bitcoin address, '14JJfrWQbud8c8KECHyc9jM6dammyjUb3Z,' appears on every ransom note that has been found so far, raising questions about the threat actor's ability to identify specific victims.

A uniform message without any negotiating panels is received when visiting the chosen Knight Tor site, giving away the campaign's standardized character. The ransom text offers an email address for communication, brahma2023@onionmail.org, and urges victims to have already paid the ransom demand. However, it is urged to exercise caution because paying the ransom may not ensure that you will receive a decryptor, and the same Bitcoin address increases the possibility of fund diversion.

Users are reminded of the critical significance of maintaining cyber vigilant as the Knight ransomware manipulates emails containing what appear to be innocent TripAdvisor complaint emails to further its malicious objective. This campaign emphasizes the requirement for thorough cybersecurity measures as well as education to counter increasing threats. Adaptability and awareness continue to be the most effective tools in the arsenal of cybersecurity professionals against the constantly changing threats posed by digital malice.