Cisco Talos, a threat intelligence research group, disclosed that a couple of malicious files that emerged from anonymous sources are actively aimed at investors in the crypto world. As per the platform, the respective malware (named Laplas Clipper and MortalKombat) has been operating since 2022’s December to target crypto investors.
Cisco Talos Discloses a Couple of Malware Targeting Crypto Investors
Cisco Talos published a blog post recently to present the analysis of the respective malware. The research team of the company mentioned that they victimize innocent investors as well as steal away their crypto assets.
It added that the majority of the people being targeted by this malware reside in the Philippines, Turkey, the United Kingdom, and the United States.
A phishing email becomes the reason to start a usual infection in the respective attack campaign. After that, a multi-phased attack sequence is triggered where the bad actor sends ransomware or malware and then eliminates the proof of any malicious files.
This is to remove the tracks to make analysis more difficult. The suspected ZIP file linked to the original phishing email comprises a loader script with a BAT extension.
After that, when a target runs the loader script, another suspected ZIP file is downloaded from a hosting server controlled by the attacker.
As the respective file is downloaded into the machine of the target, it automatically inflates and runs a payload. The respective payload is either MortalKombat ransomware or Laplas Clipper malware’s GO variant.
The dropped payload is then run by the loader script as a procedure in the machine operated by the victim. Following that, it removes the downloaded as well as the dropped suspected files for cleaning the infection indicators.
The malicious software programs operate in collaboration to take away the information kept in the clipboard of the targeted user. Normally, the clipboard contains a string of numbers and letters copied by the user.
Subsequently, the infection finds out the wallet addresses existing in the clipboard as well as replaces them with a separate address. The attack depends on the inattentiveness of the wallet address of the sender.
This operation eventually sends the crypto assets of the people being attacked to the anonymous attacker. Without specifying users as the targets, the attack aims at individuals in big as well as small institutions.
After infecting, the ransomware “MortalKombat” encrypts the files of the user and delivers a ransom note in addition to the payment instructions.
The respective note discloses the URLs linked to the attack campaign, as the Talos report specified. One of the downloading links takes to a server controlled by the attacker through a Poland-based IP address for downloading the MortalKombat ransomware.
As per the analysis conducted by Talos, the other downloading IP address runs an RDP crawler to scan the internet for the RDP port 3389 that is exposed.
Malwarebytes revealed that the tag-team campaign begins with an email comprising a malicious attachment. A BAT file is executed by the attachment to carry out the downloading as well as the execution of the ransomware on being opened by the target.
Ransomware Revenue Dropped by 40% in 2022
With the help provided by the early detection of the above-mentioned software, investors can circumvent the potential impact of the attack on their financial operations.
On the other hand, the ransomware targets keep on dismissing the extortion demands. In this way, a 40% decrease was witnessed in the attackers’ ransomware revenues in the previous year.