A new economical fraud marketing campaign has been noticed working with a variant of the Xorist commodity ransomware “MortalKombat,” jointly with a variant of the Laplas Clipper malware.
The cyber-attacks reportedly aimed to steal cryptocurrency from victims and primarily targeted victims in the United States but also in the United Kingdom, Turkey and the Philippines.
“Leveraging cryptocurrency gives threat actors eye-catching advantages such as anonymity, decentralization, and absence of regulation, earning it much more tough to keep track of,” Cisco Talos wrote in a Tuesday advisory.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The company mentioned it discovered the actor scanning the internet for target machines with an exposed distant desktop protocol (RDP) port. They then employed one of their down load servers to run an RDP crawler and facilitated MortalKombat ransomware deployments.
From a specialized standpoint, the attacks viewed as element of this campaign start with a phishing email, which initiates a multi-stage attack chain in which the actor provides either malware or ransomware, then deletes evidence of their malicious existence on the infected equipment.
“The malicious ZIP file hooked up to the original phishing email consists of a BAT loader script,” reads the advisory.
As soon as victims run the loader script, it downloads yet another malicious ZIP file from an attacker-controlled hosting server to the victim’s machine, inflates it automatically and executes the payload (the GO variant of Laplas Clipper malware or MortalKombat ransomware).
“The loader script will run the dropped payload as a method in the victim’s machine, then delete the downloaded and dropped malicious data files to cleanse up the an infection markers,” Cisco Talos wrote.
To protect in opposition to this campaign, Cisco Talos encouraged companies to be very careful while carrying out cryptocurrency transactions.
Erich Kron, a security awareness advocate at KnowBe4, shared Cisco Talos’ security recommendations, incorporating that businesses really should emphasis on email phishing defenses.
“Numerous companies still permit .ZIP documents as attachments, still may not have a motive for most workforce to be able to ship this sort of file,” Kron told Infosecurity in an email. “Mainly because these types of archive files are made use of on a regular basis when seeking to unfold malware, disallowing them could considerably make improvements to the ability to defend towards these strategies.”
Phishing-based mostly attacks ended up also at the center of a modern Cofense report, which advised the use of Telegram bots as exfiltration destinations for phished facts grew by 800% amongst 2021 and 2022.
Some pieces of this write-up are sourced from: