A new financially motivated campaign that began in December 2022 has seen the unidentified threat actor behind it deploying a novel ransomware strain dubbed MortalKombat and a clipper malware known as Laplas. Investigators said it "observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389." The attacks primarily focus on individuals, small businesses, and large organizations located in the US, and to a lesser extent in the UK, Turkey, and the Philippines.
The starting point that begins the multi-stage attack chain is a phishing email bearing a malicious ZIP file that is used as a pathway to deliver either the clipper or the ransomware. In addition to using cryptocurrency-themed email lures impersonating CoinPayments, the threat actor is also known to erase infection markers in an attempt to cover its tracks.[1]
MortalKombat, first detected in January 2023, is capable of encrypting system, application, backup, and virtual machine files in the compromised system. It further corrupts Windows Explorer, disables the Run command window, and removes applications and folders from Windows startup. A source code analysis of the ransomware reveals that it belongs to the Xorist Commodity Ransomware family, a malware that has been existing on the internet since 2016. Researchers say that the attackers are focusing more on healthcare organizations based in the United States.
The Laplas clipper is a Golang variant of the malware that appeared in November 2022. It is designed to monitor the clipboard for any cryptocurrency wallet address and substitute it with an actor-controlled wallet to carry out fraudulent transactions. The clipper reads the victim machine's clipboard contents and executes a function to perform regular expression pattern matching to detect the cryptocurrency wallet address. When a cryptocurrency wallet address is identified, the clipper sends the wallet address back to the clipper bot. In response, the clipper receives an attacker-controlled wallet address like the victim's and overwrites the original cryptocurrency wallet address in the clipboard.
Golang is the Go programming language is an open source project. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel type system enables flexible and modular program construction. Go compiles quickly to machine code yet has the convenience of garbage collection and the power of run-time reflection.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2023/02/financially-motivated-threat-actor.html
Comments