The attacker is using the relatively new MortalKombat ransomware and a variant of the Laplas Clipper malware to extort victims or steal cryptocurrency from them. While most victims are in the U.S., the researchers also found victims in the United Kingdom, Turkey, and the Philippines. One of the servers used to deliver malware was tracked to an IP address in Poland. Cisco Talos researchers said since December 2022, they’ve observed the attacker targeting individuals, small businesses and large organizations. There’s currently no data on how many people have fallen victim to this threat actor.
‘Multi-Stage Attack Chain’
According to the Cisco Talos report, the initial infection starts with a phishing email with a malicious ZIP “BAT loader script” file. The phishing email impersonates CoinPayments, a legitimate cryptocurrency payment solution, Talos said. The ZIP file in the email is disguised as a transaction ID, “enticing the recipient to unzip the malicious attachment and view the contents.” Any attempt to open the script loader in the malicious ZIP file sparks a “multi-stage attack chain” that culminates with either the MortalKombat ransomware or the Laplas Clipper malware getting installed on victims’ devices. All this happens in the background, and once installed, the malicious files are deleted, leaving no traces and making it more difficult for victims to know their devices have been compromised.
MortalKombat and Laplas Clipper Attack Process
Laplas Clipper is a “clipboard stealer” that specifically targets cryptocurrency users by monitoring their clipboard for a wallet address. Once it detects a wallet address, “it sends it to the attacker-controlled Clipper bot, which will generate a lookalike wallet address and overwrite it to the victim’s machine’s clipboard.” If a victim uses this address for a transaction, funds will be transferred to the attacker’s wallet, Talos said. “The scheduled task executes the Clipper malware every minute for 416 days on the victim’s machine,” constantly monitoring the victim’s clipboard, Talos added. Clipper is available online for $49 per week to $839 per annum. Its developers continue to create new malware variants with additional features. The MortalKombat ransomware “encrypts various flies on the victim machine’s filesystem, such as system, application, database, backup, virtual machine [VM] files, as well as files on the remote locations mapped as logical drives on in the victim’s machine.” It also corrupts Windows Explorer, removes apps and folders from startup, and renders the victim’s machine inoperable by disabling the Run command windows, Talos added. Once victims’ files are encrypted, the ransomware changes their wallpaper to one with characters from the Mortal Kombat video game. Victims also receive a ransom note with instructions on how and where to pay the ransom with Bitcoin. The attacker requires victims to communicate via the qTOX Tor-based messaging app, which is popular with cybercriminals. The attackers also provide an alternative ProtonMail address. MortalKombat is likely part of the Xorist ransomware family that has been evolving since 2010, Talos said.
Security Recommendations
Several cybersecurity organizations, including Europol, have named ransomware among the most dominant cyber threats today. Elite ransomware outfits like LockBit, which snared the California Department of Finance in December 2022, are increasingly targeting high-profile victims. However, initiatives like No More Ransom have helped victims save almost one billion Euros in ransom payments by offering free ransomware decryptors. There may be a decryptor for the MortalKombat ransomware, as free decryptors for the Xorist ransomware family have been available since 2016. You can find out by filling in the form on No More Ransom’s Crypto Sheriff assistance page. You could also try either Trend Micro’s or Emsisoft’s Xorist decryptors by typing “Xorist” on this page. To protect yourself from crypto theft and scams, we recommend you avoid copying your crypto wallet address on your clipboard. Instead, write it down on a piece of paper and type it in when required. Also, never interact with emails with a suspicious address. Check out our article on Bitcoin and cryptocurrency scams to learn more about how to protect your crypto assets.