Researchers have been tracking an unidentified threat actor behind a ransomware campaign that uses a variant of the Xorist commodity ransomware MortalKombat, as well as a GO variant of the Laplas Clipper malware.
Once the victim is infected, it displays a Mortal Kombat 11 wallpaper along with a note instructing the victim to contact the attackers using qTox – instant messaging app.
The email claims that the user’s payment has timed out and carries an attachment, which contains the malicious payload in a zipped file with a name that appears to be a CoinPayments transaction number.
A multi-stage attack chain is initiated, during which the actor delivers either malware or ransomware. The ransomware encrypts all files on the infected system, including those in the trash bin and virtual machine files. It corrupts Windows Explorer, deletes folders and files from the start-up menu, and disables the Run Command.
If the attachment drops Laplas Clipper, the victim’s crypto wallet is targeted. The malware monitors the computer’s clipboard for cryptocurrency wallet addresses. If it finds any address, then it sends to the C2 server, and a Clipper bot creates a lookalike address and then replaces the clipboard entry and threat actor attempts to transfer into their own wallet.
The campaign has reportedly been targeting victims in the United States, England, Turkey, and the Philippines.
Until you ensure that the email you received is from a legitimate entity, it is highly advised that you do not click on any attachments. It is recommended to remain vigilant.
This research was documented by researchers from Cisco Talos.
Indicators of Compromise