Additionally, the emails have a spoofed sender email, “norepl圜oinPaymentsnet”, and the email subject “net] Payment Timed Out.” A malicious ZIP file is attached with a filename resembling a transaction ID mentioned in the email body, enticing the recipient to unzip the malicious attachment and view the contents, which is a malicious BAT loader. The initial infection vector is a phishing email in which the attackers impersonate CoinPayments, a legitimate global cryptocurrency payment gateway. Infection summary flow diagram.Ĭryptocurrency-themed email lure used as initial infection vector The loader script will run the dropped payload as a process in the victim’s machine, then delete the downloaded and dropped malicious files to clean up the infection markers. When a victim opens the loader script, it downloads another malicious ZIP file from an attacker-controlled hosting server to the victim’s machine, inflates it automatically, and executes the payload, which is either the GO variant of Laplas Clipper malware or MortalKombat ransomware. The malicious ZIP file attached to the initial phishing email contains a BAT loader script. Multi-stage attack chain delivers malware or ransomware and removes infection markersĪ typical infection in this campaign begins with a phishing email and kicks off a multi-stage attack chain in which the actor delivers either malware or ransomware, then deletes evidence of malicious files, covering their tracks and challenging analysis. Talos encourages updating computers with the latest security updates, implementing robust endpoint protection solutions with behavioral detection capabilities, and maintaining tested, offline backup solutions for endpoints with a reasonable restoration time in the event of a ransomware attack. Talos recommends that users and organizations be meticulous about the recipient’s wallet address while performing cryptocurrency transactions.Leveraging cryptocurrency offers threat actors attractive benefits such as anonymity, decentralization, and lack of regulation, making it more challenging to track. Talos continues to see attack campaigns targeting individuals, small businesses, and large organizations that aim to steal or demand ransom payments in cryptocurrency.Based on Talos’ analysis of similarities in code, class name, and registry key strings, we assess with high confidence that the MortalKombat ransomware belongs to the Xorist family.Talos observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389, using one of their download servers that run an RDP crawler and also facilitates MortalKombat ransomware.Since December 2022, Cisco Talos has been observing an unidentified actor deploying two relatively new threats, the recently discovered MortalKombat ransomware and a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims.Wire for Linux beta is currently available for Ubuntu 16.04 LTS or later, and is 64-bit only. Support for other distributions is, the company say, planned for the near future. We’ll take a closer look at the Wire for Linux beta in a separate article, so keep an eye out for it. “While many other platforms have neglected Linux for other operating systems, Wire sees this community of early adapters and savvy consumers as a huge asset to their product.” Wire say that “Linux users deserve the same great user experience and guaranteed privacy of mainstream apps and operating systems, if for no other reason than simply because they are not any less important than users of other operating systems.” You can inspect the code on GitHub, report issues or bugs, or get involved in the development of the product. Like all of Wire’s apps and services, the Linux beta client is totally open source. ‘you can be sure that video calls will work across platforms with no problem’ Open-Souce App, So Get Involved
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |