October 3, 2023

A Russian-speaking ransomware group called OldGremlin involved in numerous campaigns targeting the organization that are operating in Eurasian nation.

There are very few cybercrime groups that are directly driven by financial motivations like OldGremlin, which in particular attacks Russian companies.

Advertisements

The members of the group are using self-made malware to carry out their malicious attacks and have been operating this gang illegally since March 2020.

The group has a broad range of victims, which includes companies in a number of sectors, including:-

  • Banks
  • Logistics
  • Manufacturing companies
  • Insurance firms
  • Retailers
  • Real estate developers
  • Software companies

The OldGremlin ransomware group runs only a few campaigns per year, but, they demand millions of dollars in ransom for hefty financial gain.

The operators of the OldGremlin gang used a Go variant of the TinyCrypt ransomware group to target and encrypt the Linux systems.

TinyCrypt used it to target the systems running Windows operating system. There is no difference between the Linux variant and its Windows counterpart in terms of functionality.

To encrypt files with the Linux varianta 256-bit key is used together with the CBC block cipher mode that is encrypted using the RSA-2048 asymmetric cryptosystem to generate an encrypted key using the AES algorithm.

Advertisements

The newly developed methods were also effectively combined with tried-and-tested penetration tools like Cobalt Strikes to achieve their goals.

Using the Ultimate Packer (UPX) program, the malware executable is wrapped inside a shell script and the files that are encrypted are appended with the .crypt extension.

Researchers identified exploitation of Cisco AnyConnect vulnerabilities as one of the methods used by attackers to escalate privileges. OldGremlin developed several Tiny frameworks that allow attacks to be conducted more easily.

Advertisements

There are a variety of tools that the group has developed for its own use, including:-

  • TinyCrypt ransomware
  • Credential extractors
  • Malicious LNK files
  • TinyPosh
  • TinyNode
  • TinyFluff
  • TinyShell
  • Reconnaissance tool
  • AV bypassing tool
  • Isolation tool

The list of tools clearly depicts how highly skilled the OldGremlin threat actors are. The attackers plan their attack in such a complicated way that their victims are left with no choice, instead paying the ransom demanded.

This research was documented by researchers from Group-IB.

Tags:

Leave a Reply

You may have missed

Industrial Control Systems and Vulnerability Management Process

October 2, 2023

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – September, 2023

October 2, 2023

TheCyberThrone Security Week In Review – September 30, 2023

October 1, 2023

Mozilla fixes CVE-2023-5217 Vulnerability in its Products

September 30, 2023

CISA KEV Update Part III – September 2023

September 30, 2023
%d bloggers like this: