Hackers conducting a brand new financially motivated marketing campaign are utilizing a variant of the Xortist commodity ransomware named ‘MortalKombat,’ along with the Laplas clipper in cyberattacks.
Each malware infections are used to conduct monetary fraud, with the ransomware used to extort victims to obtain a decryptor and Laplas to steal cryptocurrency by hijacking crypto transactions.
Laplas is a cryptocurrency hijacker released last year that displays the Home windows clipboard for crypto addresses and, when discovered, substitutes them for addresses underneath the attacker’s management.
As for MortalKombat, Cisco Talos says the brand new ransomware relies on the Xorist commodity ransomware household, which makes use of a builder that lets menace actors customise the malware. Xorist has been decryptable for free since 2016.
The assaults noticed by the Talos researchers centered primarily on the US, with some victims additionally within the UK, Turkey, and the Philippines.
Phishing assaults
The e-mail incorporates a malicious ZIP attachment containing a BAT loader script that downloads a second archive from a distant useful resource. This archive incorporates one of many two malware payloads.
The loader script will execute the downloaded payload as a course of within the compromised system after which delete the downloaded information to attenuate the possibilities of detection.
The e-mail message carries a malicious ZIP attachment that incorporates a BAT loader script, that when opened, downloads a second archive from a distant useful resource. This archive incorporates one of many two malware payloads.
The loader script will execute the downloaded payload as a course of within the compromised system after which delete the downloaded information to attenuate possibilities of detection.
MortalKombat ransomware
MortalKombat is a Xorist ransomware variant first found in January 2023, named after the favored preventing online game and that includes a ransom word/wallpaper that features artwork from the franchise.
Talos analysts report that the actual ransomware is not very subtle as it should goal system information and functions too, that are generally prevented to stop the system from changing into unstable.
“Talos noticed that MortalKombat encrypts numerous information on the sufferer machine’s filesystem, comparable to system, software, database, backup, and digital machine information, in addition to information on the distant places mapped as logical drives within the sufferer’s machine,” describes the report.
“It drops the ransom word and modifications the sufferer machine’s wallpaper upon the encryption course of.”
The wallpaper additionally acts as a ransom word, instructing the sufferer to make use of the qTOX Tor-based prompt messaging app to barter with the cybercriminals who demand fee in Bitcoin.
The attacker additionally supplies a ProtonMail e-mail tackle if the sufferer has bother registering a brand new account on qTOX.
Though MortalKombat doesn’t function wiper performance, it corrupts system folders just like the Recycle Bin in order that the victims can’t retrieve information from there, disables the Home windows Run command window, and removes all entries from Home windows startup.
Furthermore, the ransomware fiddles with the Home windows registry, making a Run registry key (“Alcmeter”) for persistence whereas deleting the put in software’s root registry key within the HKEY_CLASSES_ROOT registry hive.
The HKEY_CLASSES_ROOT hive shops details about file associations, instructions, and icons used for every file sort, so deleting these entries means the functions can not perform.
Cisco’s analysts have no idea what the operational mannequin of MortalKombat ransomware is, and whether or not it’s the customized pressure of a lone menace actor or is offered to different cybercriminals like Laplas.
