Pierluigi Paganini
February 16, 2023
Since December 2022, Cisco Talos researchers have been observing an unidentified financially motivated threat actor deploying two new malware, the recently discovered MortalKombat ransomware and a GO variant of the Laplas Clipper malware.
The threat actor is scanning the internet for systems with an exposed remote desktop protocol (RDP) port 3389.
The similarities in code, class name, and registry key strings, led the experts into assessing with high confidence that the MortalKombat ransomware belongs to the Xorist family
The malware campaign is targeting individuals, small businesses, and large organizations with the end goal of stealing or demanding ransom payments in cryptocurrency.
Most of the victims are located in the U.S., but experts observed limited infections in the United Kingdom, Turkey, and the Philippines.
Threat actors use a multi-stage attack chain that begins with a phishing email with a ZIP attachment containing a BAT loader script.
“The initial infection vector is a phishing email in which the attackers impersonate CoinPayments, a legitimate global cryptocurrency payment gateway. Additionally, the emails have a spoofed sender email, “noreply[at]CoinPayments[.]net”, and the email subject “[CoinPayments[.]net] Payment Timed Out.”” reads the analysis published by Cisco Talos. “A malicious ZIP file is attached with a filename resembling a transaction ID mentioned in the email body, enticing the recipient to unzip the malicious attachment and view the contents, which is a malicious BAT loader.”
Upon opening the script, it downloads another malicious ZIP file from a remote server and executes the payload, which is either the GO variant of Laplas Clipper malware or MortalKombat ransomware. The dropped payload is executed as a process in the victim’s machine, while the downloaded and dropped malicious files are deleted by the attackers to cover their tracks.
MortalKombat first appeared on the threat landscape in January 2023, it targets various files on the victim machine’s filesystem, such as system, application, database, backup, and virtual machine files, as well as files on the remote locations mapped as logical drives.
Unlike other ransomware families, MortalKombat did not show any wiper behavior or delete the volume shadow copies on the infected system. It corrupts Windows Explorer, removes applications and folders from Windows startup, and disables the Run command window, making the system inoperable.
The ransom note instructs the victim to contact the attacker through the qTOX instant messaging application.
Technical analysis of the malware along with Indicators of compromise (IoCs) are included in the report published by Talos.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
