Threat Insight: Talos Reports on Campaign From Unidentified Threat Actor
Cisco Talos reports that a financially motivated but unidentified threat actor has been deploying MortalKombat ransomware or Laplas Clipper malware.
Per the Talos report:
- MortalKombat is a novel ransomware, first observed by threat researchers in January 2023, with little known about its developers and operating model.
- Laplas Clipper malware is a relatively new clipboard stealer first observed by threat researchers in November of 2022. The stealer belongs to the Clipper malware family, a group of malicious programs that specifically target cryptocurrency users. When a cryptocurrency wallet address is identified, the clipper sends the wallet address back to the clipper bot. In response, the clipper receives an attacker-controlled wallet address similar to the victim’s and overwrites the original cryptocurrency wallet address in the clipboard.
- Talos observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389, using one of their download servers that run an RDP crawler and also facilitates MortalKombat ransomware.
- The initial infection vector is a phishing email in which the attackers impersonate CoinPayments, a legitimate global cryptocurrency payment gateway. Additionally, the emails have a spoofed sender email, “noreply[at]CoinPayments[.]net”, and the email subject “[CoinPayments[.]net] Payment Timed Out.”
- A malicious ZIP file is attached with a filename resembling a transaction ID mentioned in the email body, enticing the recipient to unzip the malicious attachment and view the contents, which is a malicious BAT loader.
- When a victim opens the loader script, it downloads another malicious ZIP file from an attacker-controlled hosting server to the victim’s machine, inflates it automatically, and executes the payload, which is either the GO variant of Laplas Clipper malware or MortalKombat ransomware. The loader script will run the dropped payload as a process in the victim’s machine, then delete the downloaded and dropped malicious files to clean up the infection markers.
-Kaseya Threat Management Team