Numerous organizations in the US, UK, Turkey and the Philippines have been targeted by a new ransomware program that cybersecurity researchers have dubbed MortalKombat.
Cisco Talos experts are tracking down an unknown group that deployed MortalKombat and also developed a new cryptocurrency-stealing malware called Laplas Clipper. Most of the victims of the campaign were in the US. Cisco researchers linked two URLs to the campaign, one of which leads to a C2 server in Poland.
Mortal Kombat was first discovered in January 2023, and nothing is known about its developers or operating model at this time. The name of the ransomware and the wallpaper it drops on the victim system are a reference to the Mortal Kombat media franchise, according to analysts.
The ransomware encrypts various files on the victim's system:
- system files;
- application files;
- database files, backups and virtual machines;
- files in remote locations that appear as logical drives.
According to a Cisco Talos report, a ransomware group is scanning the Internet for organizations that have left RDP protocols open. Thus, the victims of the attacks were individuals, small businesses and large organizations.
Other attacks in the campaign start with phishing emails accompanied by a ZIP archive. When opened, Laplas Clipper malware or MortalKombat ransomware are deployed and then removed to cover their tracks and make analysis difficult.
In one email, hackers posed as crypto-currency platform CoinPayments. In the email, the ZIP archive allegedly contained information about a specific transaction, prompting the victim to open it. When the archive is opened, MortalKombat starts, changes the wallpaper of the victim's computer, crashes Windows Explorer, and removes some applications.
Among other similarities, the code similarity indicates that the ransomware belongs to the Xorist family, which has existed since 2010, the researchers said. The ease of customization of Xorist allows cybercriminals to create new variants with different names, file extensions, and ransom notes.
Along with MortalKombat, researchers found Laplas Clipper malware, which they previously identified in a November 2022 attack. Unlike standard clippers, which simply change the recipient's copied wallet address to the attacker's, Laplas Clipper uses an address very similar to the one the user copied. This process takes place on the attacker's server, so the exact mechanism remains unknown.
In about a week, the number of Laplas Clipper samples went from 20 to 55 per day at the end of October. Then the researchers concluded that Laplas Clipper is distributed through Smoke Loader and Raccoon Stealer, which indicates the increased attention of the cybercriminal community to this program. Developers MortalKombat and Laplas Clipper have stated on Telegram that they are making new variants of Laplas Clipper and plan to release updates in the coming months.
Comments 0