Over two and a half years, a Russian-speaking ransomware group named OldGremlin has been attributed to 16 malicious campaigns aimed at entities operating in the transcontinental Eurasian nation. The group's victims include companies in logistics, industry, insurance, retail, real estate, software development, banking, and arms manufacturing.
OldGremlin is using custom backdoors (TinyPosh and TinyNode) and ransomware (TinyCrypt, a.k.a decr1pt) along with third-party software for reconnaissance and lateral movement (Cobalt Strike, command line screenshot, NirSoft’s Mail PassView for email password recovery). The gang is not picky about victims as long they are prominent businesses in Russia (medical labs, banks, manufacturers, software developers), indicating that it’s composed of Russian-speaking members.
The threat actor starts its attacks with spear phishing emails that deliver custom tools for initial access. They use valid names for the sender's address, impersonating well-known individuals. They seem well-versed in social engineering and take advantage of current events to make their phishing more credible.[1]
OldGremlin first came to light in September 2020 when the Singapore-headquartered cybersecurity company disclosed nine campaigns orchestrated by the actor between May and August 2020. The first attack was detected in early April 2020. The group is said to have conducted ten phishing email campaigns in 2020, followed by one highly successful attack in 2021 and five more in 2022, with ransom demands touching a record $16.9 million and allowing the actor to net as much as $30 million in illicit revenues.
According to investigators, OldGremlin thoroughly studies its victims before launching an attack. The demanded ransom is, therefore, often proportional to the company's size and revenue and is higher than the budget necessary for ensuring a suitable level of information security.
Known to mainly target enterprise networks running on Windows, attacks mounted by OldGremlin have leveraged phishing emails masquerading as tax and legal services companies to dupe victims into clicking on fraudulent links and downloading malicious files, allowing the attackers to worm their way inside the networks. The threat actors often pose as well-known companies, including the media group RBC, the legal assistance system Consultant Plus, the company 1C-Bitrix, the Russian Union of Industrialists and Entrepreneurs, and Minsk Tractor Works.
Upon gaining an initial foothold, OldGremlin establishes persistence by creating scheduled tasks, gaining elevated privileges using Cobalt Stroke, and even flaws in Cisco AnyConnect (CVE-2020-3153 and CVE-2020-3433), while also gaining remote access to the compromised infrastructure using tools such as TeamViewer.
Some aspect that makes the crew stand out from other ransomware groups is that it does not rely on double extortion to coerce targeted companies into paying up despite exfiltrating the data. It has also been observed taking long breaks after each successful attack. The average dwell time until ransomware deployment has been at 49 days, well above the reported 11-day median dwell time, suggesting extended efforts on the actor's part to examine the breached domain (which is achieved using a tool called TinyScout).
OldGremlin's most recent phishing wave occurred on 23 August 2022, with emails embedding links pointing to a ZIP archive payload hosted on Dropbox to activate the kill chain. These archive files, in turn, harbor a rogue LNK file (dubbed TinyLink) that downloads a backdoor called TinyFluff, one of the four implants used by the group: TinyPosh, TinyNode, and TinyShell, before deleting data backups and dropping the .NET-based TinyCrypt ransomware.
- TinyPosh: A PowerShell trojan engineered to collect and transfer sensitive information about the infected system to a remote server, and launch additional PowerShell scripts.
- TinyNode: A backdoor that runs the Node.js interpreter to execute commands received from a command-and-control (C2) server over the Tor network.
- TinyFluff is a successor to TinyNode, which is the primary downloader for receiving and running malicious scripts.
Also put to use by OldGremlin are other tools such as TinyShot, a console utility for capturing screenshots, and TinyKiller, which kills antivirus processes via a bring your own vulnerable driver (BYOVD) attack targeting gdrv.sys and RTCore64.sys drivers. The operators behind the BlackByte ransomware group were also recently found leveraging the same flaw in the RTCore64.sys driver to turn off security solutions in the hacked machines.
One other unusual application used by OldGremlin in its attacks is a .NET console app called TinyIsolator, which temporarily cuts off the host from the network by disabling network adaptors before executing the ransomware. The group's malware arsenal encompasses a Linux version of TinyCrypt, written in the Go programming language and launched after deleting .bash_history files, changing user passwords to limit access to the compromised host, and disabling SSH.
Even though OldGremlin has been focusing on Russia so far, they should not be underestimated elsewhere. Many Russian-speaking gangs started by targeting companies in post-Soviet space and then switched to other geographies.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, don't hesitate to get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2022/10/oldgremlin-ransomware-targeted-over.html
Comments