March 25, 2023

A Russian-speaking ransomware group called OldGremlin involved in numerous campaigns targeting the organization that are operating in Eurasian nation.

There are very few cybercrime groups that are directly driven by financial motivations like OldGremlin, which in particular attacks Russian companies.

Advertisements

The members of the group are using self-made malware to carry out their malicious attacks and have been operating this gang illegally since March 2020.

The group has a broad range of victims, which includes companies in a number of sectors, including:-

  • Banks
  • Logistics
  • Manufacturing companies
  • Insurance firms
  • Retailers
  • Real estate developers
  • Software companies

The OldGremlin ransomware group runs only a few campaigns per year, but, they demand millions of dollars in ransom for hefty financial gain.

The operators of the OldGremlin gang used a Go variant of the TinyCrypt ransomware group to target and encrypt the Linux systems.

TinyCrypt used it to target the systems running Windows operating system. There is no difference between the Linux variant and its Windows counterpart in terms of functionality.

To encrypt files with the Linux varianta 256-bit key is used together with the CBC block cipher mode that is encrypted using the RSA-2048 asymmetric cryptosystem to generate an encrypted key using the AES algorithm.

Advertisements

The newly developed methods were also effectively combined with tried-and-tested penetration tools like Cobalt Strikes to achieve their goals.

Using the Ultimate Packer (UPX) program, the malware executable is wrapped inside a shell script and the files that are encrypted are appended with the .crypt extension.

Researchers identified exploitation of Cisco AnyConnect vulnerabilities as one of the methods used by attackers to escalate privileges. OldGremlin developed several Tiny frameworks that allow attacks to be conducted more easily.

Advertisements

There are a variety of tools that the group has developed for its own use, including:-

  • TinyCrypt ransomware
  • Credential extractors
  • Malicious LNK files
  • TinyPosh
  • TinyNode
  • TinyFluff
  • TinyShell
  • Reconnaissance tool
  • AV bypassing tool
  • Isolation tool

The list of tools clearly depicts how highly skilled the OldGremlin threat actors are. The attackers plan their attack in such a complicated way that their victims are left with no choice, instead paying the ransom demanded.

This research was documented by researchers from Group-IB.

Tags:

Leave a Reply

You may have missed

CISA Releases Untitled Goose Tool

CISA Releases Untitled Goose Tool

March 25, 2023
Critical Vulnerability in Woocommerce Payment Plugin

Critical Vulnerability in Woocommerce Payment Plugin

March 25, 2023
Cl0P Ransomware havoc with GoAnywhere MFT Exploit

Cl0P Ransomware havoc with GoAnywhere MFT Exploit

March 25, 2023
CISA Pre Ransomware Notification Initiative

CISA Pre Ransomware Notification Initiative

March 25, 2023
Github seizes Exposed RSA SSH Key

Github seizes Exposed RSA SSH Key

March 24, 2023
MITRE Risk Model Manager Platform

MITRE Risk Model Manager Platform

March 24, 2023
%d bloggers like this: