A new financially-motivated campaign launched in December 2022 has been found behind an unidentified threat actor deploying what it calls a new ransomware variant. Mortal Kombat Clipper malware known as Laplas.
Cisco Talos states, “We observed the attacker scanning the Internet for victim machines using exposed Remote Desktop Protocol (RDP) port 3389.”
According to the cybersecurity firm, attacks have focused primarily on individuals, small businesses, and large organizations located in the United States, with lesser extent in the United Kingdom, Turkey, and the Philippines.
The starting point of the multi-stage attack chain is a phishing email containing a malicious ZIP file used as a vector to deliver either the clipper or ransomware.
In addition to using lures impersonating CoinPayments in cryptocurrency-themed emails, threat actors have also been known to erase infection markers in an attempt to cover their tracks.
First detected in January 2023, MortalKombat is able to encrypt system, application, backup, and virtual machine files within compromised systems. Additionally, it corrupts Windows Explorer, disables the Run command window, and removes applications and folders from Windows startup.
According to Cisco Talos researcher Chetan Raghuprasad, analysis of the ransomware’s source code revealed that it is part of the Xorist family of ransomware.
Laplas clipper is a Golang variant of malware that was revealed in November 2022. It is designed to monitor the clipboard for cryptocurrency wallet addresses and replace it with an attacker-controlled wallet to perform fraudulent transactions.
“The clipper reads the contents of the victim’s machine’s clipboard and performs regular expression pattern matching to detect cryptocurrency wallet addresses,” Raghuprasad explains.
“Once a cryptocurrency wallet address is determined, the clipper sends that wallet address back to the clipper bot. It will overwrite the original cryptocurrency wallet address.”
