A new financial fraud campaign has been spotted using a variant of the Xorist commodity ransomware “MortalKombat,” together with a variant of the Laplas Clipper malware.
The cyber-attacks reportedly aimed to steal cryptocurrency from victims and mainly targeted victims in the United States but also in the United Kingdom, Turkey and the Philippines.
“Leveraging cryptocurrency offers threat actors attractive benefits such as anonymity, decentralization, and lack of regulation, making it more challenging to track,” Cisco Talos wrote in a Tuesday advisory.
The company said it discovered the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port. They then employed one of their download servers to run an RDP crawler and facilitated MortalKombat ransomware deployments.
From a technical standpoint, the attacks seen as part of this campaign start with a phishing email, which initiates a multi-stage attack chain in which the actor delivers either malware or ransomware, then deletes evidence of their malicious presence on the infected machine.
“The malicious ZIP file attached to the initial phishing email contains a BAT loader script,” reads the advisory.
Once victims run the loader script, it downloads another malicious ZIP file from an attacker-controlled hosting server to the victim’s machine, inflates it automatically and executes the payload (the GO variant of Laplas Clipper malware or MortalKombat ransomware).
“The loader script will run the dropped payload as a process in the victim’s machine, then delete the downloaded and dropped malicious files to clean up the infection markers,” Cisco Talos wrote.
To defend against this campaign, Cisco Talos encouraged companies to be careful while performing cryptocurrency transactions.
Erich Kron, a security awareness advocate at KnowBe4, shared Cisco Talos’ security recommendations, adding that organizations should focus on email phishing defenses.
“Many organizations still allow .ZIP files as attachments, yet may not have a reason for most employees to be able to send this type of file,” Kron told Infosecurity in an email. “Because these types of archive files are used regularly when trying to spread malware, disallowing them could significantly improve the ability to defend against these campaigns.”
Phishing-based attacks were also at the center of a recent Cofense report, which suggested the use of Telegram bots as exfiltration destinations for phished information grew by 800% between 2021 and 2022.