Malware Activity
MortalKombat Ransomware and Laplas Clipper Malware Observed in New Campaign
A new financially motivated campaign that deploys the emerging "MortalKombat" ransomware and a Golang variant of the "Laplas" clipper malware has been identified. This campaign, which was first discovered in December 2022, has been observed targeting individuals as well as small and large organizations across primarily the United States, along with the United Kingdom, Turkey, and the Philippines. Researchers also noted that the currently unidentified actor responsible for the campaign has been observed "scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389" through an RDP crawler on a downloaded server. The attack chain begins with a phishing email that contains a malicious ZIP file and a cryptocurrency-themed lure impersonating a popular cryptocurrency payment gateway. The ZIP contains a BAT loader script that downloads an additional ZIP file from a controlled hosting server and executes the payload, which is either ransomware or the clipper malware. All evidence of the malicious files is then deleted. MortalKombat was first discovered in January 2023 and has been observed encrypting files on victim machines' filesystems (such as system, application, database, virtual machine files, and backup) as well as on remote locations mapped as logical drives. It is emphasized that there was no indication of wiper behavior or the deletion of large volume shadow copies in the observed instances. The researchers determined, through source code analysis, that MortalKombat has similarities to the Xorist ransomware family. Xorist first appeared in 2010 and has evolved by creating several variants through the use of ransomware builders. Laplas, which was first identified in November 2022, is a stealer malware that targets cryptocurrency users by "employing regular expressions to monitor the victim machine's clipboard for their cryptocurrency wallet address." A look-alike wallet address is created, and the victim's address is then overwritten. CTIX analysts urge users to stay vigilant when conducting cryptocurrency transactions and ensure their systems remain up to date with the latest security updates. A technical analysis as well as indicators of compromise (IOCs) can be viewed in the articles linked below.
- The Hacker News: MortalKombat/Laplas Campaign Article
- Cisco Talos: MortalKombat/Laplas Campaign Report
Threat Actor Activity
Threat Profile: WIP26
A cluster of threat actors classified as WIP26 have been conducting extensive cyberespionage campaigns against Middle Eastern telecommunications companies. WIP26 threat actors have abused several cloud technologies (Google Firebase, Dropbox, Microsoft Azure) in previous attacks, covering malware delivery, data extraction, and command-and-control (C2) communications between the compromised asset(s) and threat actors. Intrusions during this campaign originate from socially engineered WhatsApp messages targeted at telecommunications employees. Within these messages, threat actors incorporate a seemingly trustworthy Dropbox URL claiming to contain documentation of poverty levels throughout the region. Alongside these documents, a masqueraded malware loader lives within the Wondershare PDFelement application. The malware loader deploys the CMD365 backdoor to the compromised system and functions as a C2 host from the enterprise's Microsoft 365 instance. CMDEmber is also deployed in parallel with CMD365, and is capable of gathering system information and exfiltrating it back to threat actor endpoints. WIP26 is predicted to continue adjusting tactics and techniques to masquerade their espionage efforts further in the coming months. CTIX analysts continue to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
CISA Adds Critical iOS Zero-day to the KEV
The Cybersecurity and Infrastructure Security Agency (CISA) has added an actively exploited critical Apple iOS zero-day vulnerability to their Known Exploited Vulnerabilities (KEV) catalog this week. If exploited, this flaw could allow malicious threat actors to execute arbitrary code on vulnerable devices. The vulnerability affects certain models of the iPhone, iPad Air, iPad Pro, and iPad Mini. This flaw, tracked as CVE 2023-23529, can be exploited by threat actors through social engineering attacks. An attacker could send the victim a phishing link via email, SMS, messaging applications, or embedded QR codes. If a threat actor was able to trick the victim into granting them initial access to the vulnerable device, they could then execute arbitrary code that downloads malware, giving the threat actor complete control of the device and the user's data. This vulnerability's presence on the KEV means that all non-military Federal Civilian Executive Branch (FCEB) agencies with vulnerable iOS devices have until March 7, 2023, to patch the flaw with iOS's latest update, or risk being fined by regulators. CTIX analysts recommend that any readers with vulnerable devices ensure that they are running the most recent secure version of iOS.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.