A New Financial Fraud Campaign Leveraging Xorist Ransomware and Laplas Clipper Malware
A recent financial fraud campaign has been identified, utilizing a variant of the Xorist commodity ransomware known as “MortalKombat,” in combination with a variant of the Laplas Clipper malware. The cyber-attacks were designed to target victims primarily in the United States, as well as in the United Kingdom, Turkey, and the Philippines.
According to a Tuesday advisory from Cisco Talos, the threat actors behind this campaign aimed to steal cryptocurrency from their victims. Cryptocurrency presents an attractive target for cybercriminals due to its anonymity, decentralization, and lack of regulation, making it difficult to trace and recover stolen funds.
The attack methodology employed by the threat actors involved scanning the internet for machines with exposed remote desktop protocol (RDP) ports. Once a vulnerable machine was identified, the attackers used a download server to run an RDP crawler, facilitating the deployment of the MortalKombat ransomware.
From a technical perspective, the attacks initiated with a phishing email, triggering a multi-stage attack chain. The initial phishing email contained a malicious ZIP file with a BAT loader script. Upon execution, the loader script downloaded another malicious ZIP file from an attacker-controlled server, unpacked it, and executed the payload, which could be either the Laplas Clipper malware or the MortalKombat ransomware.
After running the payload, the loader script would delete all downloaded and dropped malicious files to remove evidence of the infection. This tactic of cleaning up infection markers makes it challenging for security teams to detect and respond to the attack.
In light of this campaign, Cisco Talos advised organizations to exercise caution when engaging in cryptocurrency transactions. Erich Kron, a security awareness advocate at KnowBe4, echoed these sentiments, emphasizing the importance of strengthening email phishing defenses.
“Many organizations still allow .ZIP files as attachments, yet may not have a reason for most employees to be able to send this type of file,” Kron explained. “Disallowing these archive files could significantly enhance defenses against malicious campaigns like this.”
Phishing-based attacks have been on the rise, with a recent report from Cofense highlighting an 800% increase in the use of Telegram bots as exfiltration destinations for phished information between 2021 and 2022.