Headline
OldGremlin Ransomware Gang Known for Targeting Russia Launches Linux Malware
By Deeba Ahmed According to Group-IB’s report, OldGremlin Ransomware Gang poses as reputed firms to infiltrate networks via phishing emails. This is a post from HackRead.com Read the original post: OldGremlin Ransomware Gang Known for Targeting Russia Launches Linux Malware
OldGremlin is a notorious ransomware group known for targeting Russian organizations and has launched a wide-scale multi-million campaign. Their targets are Russian entities, and the group demands large ransoms in return. The gang’s victims include organizations in insurance, logistics, retail, software development, real estate, and banking.
According to a report from Group-IB, OldGremlin ransomware gang is a Russian-speaking ransomware gang that has been fairly active since 2020 and around sixteen malicious campaigns have been attributed to this gang during the past two and a half years. All of these targeted Russian organizations.
Also known as TinyScouts; OldGremlin is among the few financially motivated cybercrime groups (other groups include Crylock, Dharma, and Thanos), focusing primarily on Russian entities.
So far, OldGremlin ransomware gang has conducted ten phishing email campaigns, all launched in 2020, a successful ransomware attack in 2021, and five attacks in 2022. Their ransom demands have been comparatively higher. In some cases, the group even asked for $16.9 million and netted around $30 million in illegal revenues.
Group-IB
In its debut year, 2020, the gang carried out dozens of campaigns targeting micro-finance firms, a tractor manufacturer, a metals and mining firm, and business media holding firm consecutively.
“The demanded ransom is therefore often proportional to the company’s size and revenue and is obviously higher than the budget necessary for ensuring a suitable level of information security.”
Group-IB
Campaign Details
According to Group-IB’s press release, OldGremlin has developed a new malware for Linux systems. The group poses as reputed firms such as media group RBC, Russian Union of Industrialists, 1C-Bitrix, or legal assistance provider Consultant Plus to infiltrate networks via phishing emails.
The group manages to achieve initial success via a phishing email and deploys tools like Cobalt Strike for lateral movement. It establishes persistence through the creation of scheduled tasks and obtaining escalated privileges.
It also exploits a flaw in Cisco AnyConnect (CVE-2020-3153 and CVE-2020-3433) and gains remote access to the targeted infrastructure using tools like TeamViewer. Once this is done, the group stays inside the victim’s network for around 49 days and then launches the ransomware.
Victims can contain the threat using an effective malware detection solution during this time. Group-IB noted that the most recent phishing wave assigned to OldGremlin ransomware occurred on 23 August 2022 in which phishing emails embedded links to a ZIP archive payload hosted on Dropbox for activating the killchain.
Resultantly, the archive files launch a rogue LNK file (TinyLink) for downloading a backdoor (TinyFluff). Moreover, the group uses other implants besides TinyFluff, including TinyPosh, TinyShell, TinyNode, before deleting data backups. Then it launched the .NET-based TinyCrypt ransomware.
Although the group is focused on Russian organizations, Group-IB noted that it might expand its geographical boundaries after some time.
- New DDoS Malware ‘Chaos’ Hits Linux and Windows Devices
- Windows, Linux and macOS Users Targeted by Chinese APT Group
- DDoS App Meant to Hit Russia Infected Phones of Ukrainian Activists
- President Putin’s Economic Forum Speech Delayed due to DDoS Attack
- Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices
Related news
Plus: Important patches from Apple, VMWare, Cisco, Zimbra, SAP, and Oracle.
Older bugs in the AnyConnect Secure Mobility Client are being targeted in the wild, showcasing patch-management failures.
Cisco has warned of active exploitation attempts targeting a pair of two-year-old security flaws in the Cisco AnyConnect Secure Mobility Client for Windows. Tracked as CVE-2020-3153 (CVSS score: 6.5) and CVE-2020-3433 (CVSS score: 7.8), the vulnerabilities could enable local authenticated attackers to perform DLL hijacking and copy arbitrary files to system directories with elevated privileges.
A Russian-speaking ransomware group dubbed OldGremlin has been attributed to 16 malicious campaigns aimed at entities operating in the transcontinental Eurasian nation over the course of two and a half years. "The group's victims include companies in sectors such as logistics, industry, insurance, retail, real estate, software development, and banking," Group-IB said in an exhaustive report
A Russian-speaking ransomware group dubbed OldGremlin has been attributed to 16 malicious campaigns aimed at entities operating in the transcontinental Eurasian nation over the course of two and a half years. "The group's victims include companies in sectors such as logistics, industry, insurance, retail, real estate, software development, and banking," Group-IB said in an exhaustive report