A threat campaign is luring victims in with cryptocurrency phishing emails before deploying new ransomware that may be connected to the decade-old Xorist ransomware family, according to new research by Cisco Talos.
In a blog post Tuesday, Chetan Raghuprasad, threat researcher at Cisco Talos Intelligence Group, detailed the financially motivated campaign that's been active since December. During attacks, threat actors delpoy a new ransomware variant named MortalKombat and a recently discovered version of Laplas Clipper malware to steal cryptocurrency from predominately U.S.-based victims.
While the ransomware strain and malware deployed may be newer to the threat landscape, the campaign's goal aligns with familiar trends.
"Talos continues to see attack campaigns targeting individuals, small businesses and large organizations that aim to steal or demand ransom payments in cryptocurrency," Raghuprasad wrote in the blog post.
The unidentified threat actor behind this campaign has been active since December. But researchers did not observe the use of MortalKombat ransomware in attacks until January. Before then, other payloads and malware, such as a GO variant of the Laplas Clipper, were used. Laplas Clipper was discovered in November 2022 and belongs to the Clipper malware family, which is notorious for targeting cryptocurrency users.
Similar to recent ransomware attacks, such as the ESXiArgs campaign earlier this month, the threat actors take advantage of internet-exposed devices.
"Talos observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389, using one of their download servers that run an RDP crawler and also facilitates MortalKombat ransomware," Raghuprasad wrote in the blog.
Attacks then start with a phishing email that impersonates CoinPayments, a legitimate global cryptocurrency payment gateway and wallet. Despite CoinPayments now being unavailable to U.S. users, the campaign largely targeted victims located in the U.S.
It's unclear what types of enterprises are being targeted by this campaign. Cisco Talos told TechTarget Editorial that it doesn't have additional insights to share on the U.S. targets.
A separate, recent attack involving a compromised email system for domain registrar Namecheap also used phishing emails that impersonated MetaMask, a cryptocurrency wallet, to lure victims into clicking unauthorized links.
New ransomware, old code
Following a successful phishing email, Raghuprasad noted how threat actors will deliver either Laplas Clipper malware or MortalKombat ransomware.
The MortalKombat variant is notable because it encrypts various files on victims' machines, including backups, virtual machine files and files on the remote locations mapped as logical drives. Based on the ransomware name and wallpaper dropped during the encryption process, Talos believes it's a reference to the popular Mortal Kombat media franchise.
While MortalKombat ransomware may be newly observed, its code, class name and registry key strings scream déjà vu. Talos assessed with "high confidence" that MortalKombat belongs to the Xorist ransomware family, an automated ransomware that first appeared in 2010 and warranted past government-issued advisories.
Laplas Clipper, meanwhile, monitors victim machine's clipboard for their cryptocurrency wallet address and generates a lookalike address to trick the user. More notably, the malware appears relatively easy to access. Attackers can purchase a Laplas Clipper subscription online for $49 a week or $839 annually.
"If victims subsequently attempt to use the lookalike wallet address while performing transactions, the result will be a fraudulent transaction," Raghuprasad wrote in the blog.
In addition to strengthening ransomware defenses and testing backup solutions, the cybersecurity threat intelligence vendor urges enterprises to be extra cautious about the recipient's wallet address while performing cryptocurrency transactions.
Arielle Waldman is a Boston-based reporter covering enterprise security news.