Security researchers have discovered a new ransomware attack trying to conduct attacks on large corporate networks of medical labs, banks, manufacturers, and software developers in Russia.
The ransomware gang known as “OldGremlin” is believed to be a Russian-speaking threat actor. It was linked to a series of campaigns at least since March, including a successful attack against a clinical diagnostics laboratory that occurred last month.
According to Singaporean cybersecurity firm Group-IB, the group has targeted only Russian companies which was typical for many Russian-speaking adversaries, such as Silence and Cobalt, at the beginning of their criminal path.
After testing in Russia, these groups then switched to other places to avoid being caught by the victim country’s police force.
The modus operandi of OldGremlin includes using custom backdoors — such as TinyNode and TinyPosh to download additional payloads. Their main aim is to encrypt files in the infected system using TinyCryptor ransomware (aka decr1pt) and holding it hostage for about $50,000.
Besides, the gang attained an initial foothold on the network using a phishing email sent on behalf of Russia’s RBC Group, a Moscow-based major media group, having the subject “Invoice”.
The message says that they are unable to contact the victim’s colleague concerning an urgent bill payment along with a malicious link to pay the bill which when clicked, downloads the TinyNode malware.
On getting into the system, the threat actor uses remote access to the infected computer, leveraging it to laterally move across the network via Cobalt Strike and collect authentication data of the domain administrator.
The cyber criminals were also found using COVID-themed phishing mails to financial enterprises that was disguised as a Russian microfinance organization to deliver the TinyPosh Trojan.
Another separate wave of the campaign was detected on August 19, when the cybercriminals sent out spear-phishing messages exploiting the ongoing protests in Belarus decrying the government.
In total it has been found that OldGremlin was behind nine campaigns between May and August.
According to Oleg Skulkin, a senior digital forensics analyst at Group-IB, the distinct characteristics of OldGremlin is their fearlessness to work in Russia. It shows that the attackers are either improving their techniques from home advantage before going global or they are representatives of some of Russia’s neighbors who speaks Russian.
Image Credits : CSO