Researchers have said that OldGremlin’s first activities began between late March and early April 2020. The group took advantage of the COVID-19 pandemic in early lures (a common theme for ransomware strains during this time period, sending financial institutions purported recommendations on how to organize a safe working environment during the pandemic, and impersonating the self-regulatory organization Mikrofinansirovaniye i Razvitiye (SRO MiR).
OldGremlin relies on a bevy of tools, including custom backdoors called TinyPosh and TinyNode, to gain an initial foothold in the organization. It also uses tricky spear-phishing emails that utilize constantly evolving lures from false coronavirus pandemic recommendations to fake requests for media interviews. And, the Russian-speaking cybercriminal group targets other Russian organizations, which researchers say is a big no-no within the Russian hacker community.
Researchers first discovered the group in August 2020, when it targeted a large, unnamed medical company with a spear-phishing email purporting to be sent by the media holding company RBC. Instead, the email was an attack vector for OldGremlin to encrypt the company’s entire corporate network and demand a $50,000 ransom.
The attack against the medical company is what put OldGremlin on researchers’ radar. In that case, the threat group sent targets a spear-phishing email with an attached ZIP archive, with the subject “Bill due” and purporting to be the finance department of RBC. Once the victim clicked on the .ZIP archive, a unique custom malware called TinyNode was used. TinyNode is a backdoor that downloads and launches additional malware.
After gaining remote access to the victim’s computer, the threat actors performed network reconnaissance, collected valuable data and propagated across the network, also utilizing the Cobalt Strike framework to make sure that any post-exploitation activity was as effective as possible.
A few weeks after the initial attack, OldGremlin then wiped the organization’s backups, spreading TinyCryptor across hundreds of computers on the corporate network, with a ransom note demanding $50,000 in cryptocurrency in exchange for a decryption key.
OldGremlin has also constantly switched up its spear-phishing lures over time to mimic various organizations — from a Russian dental clinic to the Russian microfinance organization Edinstvo. The group has also commonly mimicked RBC in several campaigns. One spear-phishing email, for instance, purported to be sent by a Russian RBC journalist, who invited targets to take part in the “Nationwide survey of the banking and financial sectors during the coronavirus pandemic.” In later email exchanges, the attackers asked victims to click on a link, which then resulted in a custom trojan developed by the cybercriminals, TinyPosh, being downloaded to the victim’s computer.
More recently, the group ramped up its activities in August after a short hiatus on August 13 and 14, sending around 250 malicious emails targeting Russian companies in the financial and industrial sectors. These campaigns also mimicked a journalist with the RBC group and a nickel-producing company.
Of note, OldGremlin appears to be made up of Russian speakers and yet is actively targeting Russian companies which researchers said is a big transgression among the Russian underground.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
Articles regarding these type cyber threat groups can be found at https://redskyalliance.org . There is no charge for access to these reports
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company wide.
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941