In a two UK-based universities have fallen victim to a sophisticated Remote Access Trojan (RAT) dubbed NodeSnake within the past two months.
According to analysis by Quorum Cyber’s Threat Intelligence (QCTI) team Report, this malware, likely deployed by the ransomware group Interlock, showcases advanced capabilities for persistent access and network infiltration.
Emerging Threat Targets Higher Education Sector
The timing and shared code elements between the two incidents strongly suggest a coordinated campaign by the same threat actor, with a particular focus on the higher education sector.
This development signals a broader trend of cybercriminals targeting organizations with valuable data, leveraging stealthy tools to bypass traditional security measures.
NodeSnake, coded in JavaScript and executed via NodeJS, represents a modern RAT designed for long-term persistence, system reconnaissance, and remote command execution.
Quorum Cyber’s analysis identifies two iterations NodeSnake.A and NodeSnake.B with the latter demonstrating significant advancements in obfuscation, encryption, and payload delivery.
NodeSnake.A establishes persistence through registry entries disguised as “ChromeUpdater” and employs basic XOR encryption with a static key for data exfiltration to Cloudflare-proxied Command-and-Control (C2) servers.
NodeSnake’s Technical Sophistication
By contrast, NodeSnake.B introduces a rolling XOR key, zlib compression, and dynamic string decryption, alongside new payload types like CMD for real-time shell command execution and ACTIVE for adjusting C2 polling intervals.
These enhancements, coupled with tactics such as console tampering and process detachment, make NodeSnake.B a formidable tool for evading both manual and automated detection.
The malware’s reliance on Cloudflare Tunnels further complicates mitigation efforts, as attackers exploit legitimate infrastructure to access services like SSH, RDP, and SMB, enabling lateral movement within compromised networks.
Interlock, the likely operator behind NodeSnake, emerged in October 2024 and is known for double-extortion campaigns targeting high-value entities across North America and Europe.
Unlike typical Ransomware-as-a-Service (RaaS) groups, Interlock operates independently, encrypting data on both Linux and Windows systems and appending the “.interlock” extension to files, while leaving ransom notes like “QUICK_GUIDE.txt” in affected folders.
The use of phishing emails with malicious attachments or links, as reported by Proofpoint, remains a primary infection vector, often delivering RATs like NodeSnake alongside others such as Xworm and AsyncRAT.
The strategic shift towards modularity and interactive compromise in NodeSnake.B underscores Interlock’s intent to maintain operational flexibility and stealth, posing a significant risk to enterprise environments.
Organizations are urged to adopt Zero Trust policies, ensure regular software updates, enhance user training, and deploy robust endpoint protection to mitigate these threats. Below are selected Indicators of Compromise (IoCs) associated with Interlock and NodeSnake for reference in bolstering defenses.
Indicators of Compromise (IoCs)
| IOC Type | IOC Value | Comment |
|---|---|---|
| Domain | sublime-forecasts-pale-scored.trycloudflare[.]com | Associated with Interlock ransomware |
| Hash (SHA-256) | f99fb136427fc8ed344d455eb1cbd7eabc405620ae8b4205d89a8e2e1e712256 | RAT Malware file |
| IPv4 | 212[.]237[.]217[.]182 | Malicious IP to C2 server (AS57043) |
| Ransom Note | QUICK_GUIDE.txt | Associated with Interlock ransomware |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
