- Since December 2022, Cisco Talos has been observing an unidentified actor deploying two relatively new threats, the recently discovered MortalKombat ransomware and a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims.
- Talos observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389, using one of their download servers that run an RDP crawler and also facilitates MortalKombat ransomware.
- Based on Talos’ analysis of similarities in code, class name, and registry key strings, we assess with high confidence that the MortalKombat ransomware belongs to the Xorist family.
- Talos continues to see attack campaigns targeting individuals, small businesses, and large organizations that aim to steal or demand ransom payments in cryptocurrency. Leveraging cryptocurrency offers threat actors attractive benefits such as anonymity, decentralization, and lack of regulation, making it more challenging to track.
- Talos recommends that users and organizations be meticulous about the recipient’s wallet address while performing cryptocurrency transactions. Talos encourages updating computers with the latest security updates, implementing robust endpoint protection solutions with behavioral detection capabilities, and maintaining tested, offline backup solutions for endpoints with a reasonable restoration time in the event of a ransomware attack.
Multi-stage attack chain delivers malware or ransomware and removes infection markers
A typical infection in this campaign begins with a phishing email and kicks off a multi-stage attack chain in which the actor delivers either malware or ransomware, then deletes evidence of malicious files, covering their tracks and challenging analysis.
The malicious ZIP file attached to the initial phishing email contains a BAT loader script. When a victim opens the loader script, it downloads another malicious ZIP file from an attacker-controlled hosting server to the victim’s machine, inflates it automatically, and executes the payload, which is either the GO variant of Laplas Clipper malware or MortalKombat ransomware. The loader script will run the dropped payload as a process in the victim’s machine, then delete the downloaded and dropped malicious files to clean up the infection markers.
Cryptocurrency-themed email lure used as initial infection vector
The initial infection vector is a phishing email in which the attackers impersonate CoinPayments, a legitimate global cryptocurrency payment gateway. Additionally, the emails have a spoofed sender email, “noreply[at]CoinPayments[.]net”, and the email subject “[CoinPayments[.]net] Payment Timed Out.” A malicious ZIP file is attached with a filename resembling a transaction ID mentioned in the email body, enticing the recipient to unzip the malicious attachment and view the contents, which is a malicious BAT loader.
BAT loader used to deploy Laplas Clipper malware and MortalKombat ransomware
Talos observed different attacks in this campaign where the actor used the BAT loader script to download and execute either Laplas Clipper malware or MortalKombat ransomware.
The BAT loader script uses the living-off-the-land binary (LoLBin) bitsadmin to download a malicious ZIP file from the attacker-controlled download server to the victim machine’s local user applications temporary folder. Using an embedded VB script, the BAT loader script inflates the downloaded malicious ZIP in the “%TEMP%” location and drops a malicious executable file with double file extensions “<filename>.PDF.EXE”. The BAT loader script starts the dropped malware using the Windows start command and deletes the downloaded ZIP file and the dropped payload.
MortalKombat and Laplas Clipper payloads deployed to elicit cryptocurrency gains
Talos observed the threat actor deploying MortalKombat ransomware and Laplas Clipper malware in this campaign, both used to steal cryptocurrency from the victim.
MortalKombat ransomware functionality
MortalKombat is a novel ransomware, first observed by threat researchers in January 2023, with little known about its developers and operating model. The name of the ransomware and the wallpaper it drops on the victim system are almost certainly a reference to the Mortal Kombat media franchise, which encompasses a series of popular video games and films.
Talos observed that MortalKombat encrypts various files on the victim machine’s filesystem, such as system, application, database, backup, and virtual machine files, as well as files on the remote locations mapped as logical drives in the victim’s machine. It drops the ransom note and changes the victim machine’s wallpaper upon the encryption process. MortalKombat did not show any wiper behavior or delete the volume shadow copies on the victim’s machine. Still, it corrupts Windows Explorer, removes applications and folders from Windows startup, and disables the Run command window on the victim’s machine, making it inoperable. An example ransom note and the victim machine’s wallpaper of MortalKombat ransomware are shown below:
The attacker uses qTOX, an instant messaging application available on the GitHub repository, to communicate with the victim. qTOX’s developer claims the application offers users a secure channel without any monitoring, an attractive feature for cybercriminals. In the ransom note, the attacker instructs the victim to use qTOX for communication and provides the attacker’s qTOX ID “DA639EF141F3E3C35EA62FF284200C29FA2E7E597EF150FDD526F9891CED372CBB9AB7B8BEC8”. The attacker also provides the email address “hack3dlikeapro[at]proton[.]me” as an alternate means of communication.
Laplas Clipper functionality
Laplas Clipper malware is a relatively new clipboard stealer first observed by threat researchers in November 2022. The stealer belongs to the Clipper malware family, a group of malicious programs that specifically target cryptocurrency users. Laplas Clipper targets users by employing regular expressions to monitor the victim machine’s clipboard for their cryptocurrency wallet address. Once the malware finds the victim’s wallet address, it sends it to the attacker-controlled Clipper bot, which will generate a lookalike wallet address and overwrite it to the victim’s machine’s clipboard. If victims subsequently attempt to use the lookalike wallet address while performing transactions, the result will be a fraudulent cryptocurrency transaction. Laplas Clipper is available at hxxps[://]laplas[.]app for a relatively low cost, with subscription rates ranging from $49 per week to $839 per year.
The Laplas Clipper developers are actively producing new variants of the malware. On December 20, 2022, the developers announced via their Telegram channel a new Clipper variant written in C++ and available as an EXE and DLL. The developers also mentioned they plan to release future updates that will add the capability to check the victim’s cryptocurrency wallet balance.
Two download URLs identified in the attacker’s infrastructure
Talos spotted two download URLs associated with the attacks in this campaign. One of them reaches an attacker-controlled server via IP address 193[.]169[.]255[.]78, based in Poland, to download the MortalKombat ransomware. According to Talos’ analysis, 193[.]169[.]255[.]78 is running an RDP crawler, scanning the internet for exposed RDP port 3389.
The other URL downloads the Laplas Clipper payload from the transfer[.]sh server associated with IP address 144[.]76[.]136[.]153. The Laplas Clipper malware employed in the attacks communicates with the Clipper bot at “clipper[.]guru”. The Clipper bot and the communication URL patterns of the GO Laplas Clipper variant identified are consistent with the .Net Laplas Clipper variant reported by the security researchers at Cyble.
Technical analysis of the payloads reveals unique identifiers
Talos conducted extensive technical analysis on MortalKombat ransomware and the GO variant of the Laplas Clipper malware, discovering unique identifiers and capabilities.
MortalKombat ransomware technical analysis
MortalKombat ransomware is a 32-bit Windows executable with numerous destructive capabilities. In the initial phase of its execution, it copies itself into the local user profile’s applications temporary folder with a random filename. The ransomware executable filename identified in this campaign is “E7OKC9s3llhAD13.exe”. The ransomware also drops a JPEG image file in the local user profile’s application temporary folder, which loads as the victim’s wallpaper.
MortalKombat performs time stomping on the newly created file in the temporary folder by modifying the creation time with the value “Wednesday, September 7, 2022, 8:06:35 PM”. Talos has not identified the ransomware operator’s intention behind the hardcoded date and time.
The ransomware loads its encrypted, embedded resources from its .rsrc section. It decrypts the resources in the victim machine’s memory and generates an extensive list of file extensions for the ransomware to target, along with the ransom note and the file extension for the encrypted files.
The ransomware establishes persistence by creating a Run registry key with the name “Alcmeter” and adding the absolute path of the ransomware executable file in the local user profile’s applications temporary folder. MortalKombat also registers its classes, filename extension, and icon for the encrypted files through the defaulticon registry key and shell open command keys.
The below table shows the registry key value pairs created by the ransomware:
MortalKombat discovers and maps the logical drives of the victim’s machine, appends “\*.*” and searches through all folders recursively. The ransomware enumerates every file and matches the file extension using the extensive list of file extensions decrypted from the ransomware’s resource section. In the event of a match, the ransomware encrypts the files and appends a new file extension “..Remember_you_got_only_24_hours_to_make_the_payment_if_you_dont_pay_prize_will_triple_Mortal_Kombat_Ransomware” to the encrypted files. Simultaneously, the ransom note file “HOW TO DECRYPT FILES.txt” will be created in every folder where the files are encrypted. Upon successfully encrypting the files, the ransomware changes the victim machine’s wallpaper by loading the dropped JPEG image from the local user’s application temporary folder. The ransomware also corrupts the deleted files in the recycle bin folder and changes the file names and types, as seen below:
Finally, the ransomware removes the applications and folders from the Windows startup and disables the Windows run command window. It deletes the root registry key of the installed applications in the HKEY_CLASSES_ROOT registry hive using the API RegDeletekeyA, cleaning up its infection markers.
MortalKombat is likely part of the Xorist ransomware family
Talos’ analysis of MortalKombat uncovered similarities with Xorist variants seen in the wild and the Xorist executable generated by the leaked builder. Xorist is a ransomware family that appeared in 2010 and has evolved with several variants created using a ransomware builder. The ease with which the Xorist variants can be customized allows threat actors to build new variants with different names, encryption file extensions, and custom ransom notes.
Talos found a leaked version of the Xorist builder where the builder interface options closely resembled an actual Xorist ransomware builder interface, as shown in a report by PCrisk. The builder generates a ransomware executable file that the attackers can further customize.
Talos observed that the ClassName string “X0r157” and the persistent registry key string “Alcmeter” in the MortalKombat binary are consistent with the Xorist variants seen in the wild and with the ransomware executable generated by the leaked Xorist builder.
Comparing the Xorist variant and the MortalKombat binaries showed Talos similarities in the code, leading us to assess with high confidence that the MortalKombat ransomware belongs to the Xorist ransomware family.
Laplas Clipper technical analysis
The GO variant of the Laplas Clipper identified in this campaign is a 32-bit executable downloaded from the attacker-controlled hosting server with persistence capabilities. In the initial phase of its execution, the Clipper decrypts a few of the embedded encrypted strings with a decryption routine that first decodes the base64 encoded strings and then decrypts them with the XOR key “\x3F” to generate the key, folder name, process ID file, and executable filenames.
The below table shows the strings associated with the GO Clipper malware of this campaign:
After the string decryption routine, the Clipper establishes persistence on the victim’s machine by creating a folder using the decrypted string “OQaXPFVvfW” in the local user profile’s applications roaming folder and copies itself into the folder with the filename using another decrypted string “TCOBAisZyL.exe.” The absolute path of the persistent location identified in this campaign is “C:\Users\<user>\AppData\Roaming\OQaXPFVvfW\TCOBAisZyL.exe.”
Laplas Clipper also creates a Windows scheduled task by executing the schtasks command shown below:
cmd.exe /C schtasks /create /tn OQaXPFVvfW /tr ”C:\Users\<user>\AppData\Roaming\OQaXPFVvfW\TCOBAisZyL.exe” /st 00:00 /du 9999:59 /sc once /ri 1 /f
The scheduled task executes the Clipper malware every minute for 416 days on the victim’s machine, resulting in continuous monitoring of the victim’s clipboard for a cryptocurrency wallet address. The attacker uses the technique of executing the malware through scheduled tasks to evade detection.
A main handler function of the Clipper malware executes its functionality. First, it registers the victim’s machine with the Clipper bot by sending the victim’s desktop name and user ID. The Clipper then sends another request to the Clipper bot and receives the regular expressions in the victim’s system memory. The Clipper reads the victim machine’s clipboard contents and executes a function to perform regular expression pattern matching to detect the cryptocurrency wallet address. When a cryptocurrency wallet address is identified, the Clipper sends the wallet address back to the Clipper bot. In response, the Clipper receives an attacker-controlled wallet address similar to the victim’s and overwrites the original cryptocurrency wallet address in the clipboard.
The regular expressions of cryptocurrency wallet addresses received by the Clipper malware from the Clipper bot are shown below:
Communication with the attacker-controlled Clipper bot is performed using the HTTP GET method. Talos compiled a list of the URLs the Clipper malware generates to communicate with the Clipper bot “clipper[.]guru”, seen below:
Talos created two dummy Ethereum wallets in Metamask for analysis purposes. During our analysis, the Clipper malware sent our dummy Ethereum wallet address to the Clipper bot from the analysis sandbox’s clipboard. In return, we received the attacker-controlled wallet address that looked similar to our original wallet address.
The table below shows the cryptocurrency wallet address sent from our analysis machine and the corresponding address received from the Clipper bot “clipper[.]guru”:
The attacker-controlled wallet addresses received from the Clipper bot are valid, and their status can be seen in the blockchain shown below:
Victimology
Talos observed that victims of this campaign are predominantly located in the United States, with a smaller percentage of victims in the United Kingdom, Turkey, and the Philippines.
MITRE ATT&CK TTPs
The campaign demonstrate several techniques of MITRE ATT&CK framework that the actor has employed in their attacks, most notably:
- Command-Line Interface - T1059
- Scripting - T1064
- Execution through API - T1106
- BITS Jobs - T1197
- Registry Run Keys / Startup Folder - T1060
- Modify Registry - T1112
- System Information Discovery - T1082
- File and Directory Discovery - T1083
- Query Registry - T1012
- Peripheral Device Discovery - T1120
- Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003
- Data Encrypted for Impact - T1486.
Coverage
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 61261-61265, 300397.
ClamAV detections are also available for this threat:
Win.Infostealer.Laplas-9985973-1
Win.Trojan.CryptoTorLocker2015-1
Txt.Downloader.VbsAgent-9986821-1
Orbital Queries
Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries related to this threat, please follow the links:
- Mortalkombat Ransomware File Extension Artifact
- Mortalkombat Ransomware Registry Persistence Artifact
Indicators of Compromise
Indicators of Compromise associated with this threat can be found here.