Cryptocurrency users in the United States hit by ransomware and Clipper malware


Find out how to secure your company and staff from the MortalKombat ransomware and Laplas Clipper malware.

cybersecurity concept identity theft, Database hacks, internet cyber crime. hacker attack, Hacking and stealing data. damage the system and hack the data. Image: SomYuZu/Adobe Stock A new attack campaign introduced by an unidentified hazard star targets the U.S. with 2 malware households: MortalKombat ransomware and Laplas Clipper. We detail how these malware projects are carried out and how to keep your company safe.

Jump to:

How these cybersecurity attacks are executed

This attack campaign as described by Cisco Talos starts with a phishing e-mail (Figure A) that impersonates CoinPayments, a genuine cryptocurrency payment entrance. The material is really short, describing a payment in Bitcoin that has been canceled due to a time-out issue. It appears sensible to believe only individuals making transactions in Bitcoin would open the connected file, which is a ZIP archive file containing a destructive BAT loader script.

Figure A

Image: Cisco Talos. Phishing e-mail material impersonating a genuine cryptocurrency platform.

Once performed, the loader downloads another ZIP file from a server coming from the aggressors’ facilities, whose material may be MortalKombat ransomware or Laplas Clipper malware (Figure B).

Figure B

Image: Cisco Talos.

Initial compromise flow for the attack campaign. What is

MortalKombat ransomware? According to Cisco Talos researcher Chetan Raghuprasad, MortalKombat ransomware was very first observed in January 2023. This 32-bit Windows executable file, as soon as performed, copies itself into the regional user profile’s momentary folder before dropping an image file that will be packed as the victims’ wallpaper (Figure C).

Figure C

Image: Cisco Talos. Wallpaper with guidelines, as set up by MortalKombat ransomware.

The ransomware consists of a substantial list of file extensions it targets for file encryption. Whenever there is a match, the matching file is encrypted. The ransomware likewise look for logical drives linked to the device it works on, and searches for the same file extensions through all folders recursively, securing more files as they are discovered.

Must-read security coverage

All encrypted files receive a brand-new file extension and the same ransom note file is produced in every folder where files are encrypted.

Files in the recycle bin folder are having their file name altered, too, with the very same file extension.

The Cisco Talos researcher discovered resemblances in between MortalKombat ransomware and a much older ransomware dubbed Xorist, which appeared in 2010 and has been extensively used to develop ransomware variations. A particular Alcmeter windows registry crucial string and a ClassName string X0r157 are markers of the Xorist ransomware and have actually been found in the code of the MortalKombat ransomware. Much deeper code analysis from Talos brought high self-confidence that the MortalKombat ransomware comes from the very same household as Xorist.

What is Laplas Clipper malware?

The Laplas Clipper malware variation Cisco Talos found was developed in the Go programming language, however previous variations have actually used other languages including VB.NET.

The malware embeds encrypted strings that are decrypted in the initial phase of execution of the malware. The malware copies itself on the system and establishes persistence prior to keeping track of the users’ clipboard to try to find cryptocurrency wallet addresses. When a cryptocurrency wallet is discovered in the clipboard, it is replaced by an attacker-controlled wallet sent by the C2 server.

The malware understands these cryptocurrencies: Dash, Bitcoin, Bitcoin Money, Zcash, Litecoin, Ethereum, Binance coin, Dogecoin, Monero, Ripple, Tezos, Ronin, Tron, Cardano and Universe.

The malware is marketed on cybercriminals’ underground markets (Figure D) and sold as a service for $59 monthly, according to Cyble Research & Intelligence Labs.

Figure D

Image: Cyble. Advertisement for Laplas Clipper malware on a cybercriminal underground market.

As a result of the infection, unsuspecting victims think they are making a cryptocurrency payment without problem; in fact, they are being scammed, and their deal quantity is sent to an attacker-controlled wallet.

U.S. is the primary target for this security danger

The primary target for this attack campaign, as provided by Cisco Talos, is the U.S., followed by the U.K., Turkey and the Philippines (Figure E).

Figure E

Image: Cisco Talos. Victimology shows the U.S. as the most impacted nation of the attack campaign.

While no intelligence is supplied about the phishing email targets, it is sensible to believe that the targeted emails are most likely from users handling cryptocurrency.

How to secure your company from MortalKombat and Laplas malware

The preliminary infection depends on social engineering and not vulnerabilities. It is encouraged to raise awareness to all staff members by supplying them with regular security training and ideas to avoid succumbing to social engineering-driven infections, particularly via emails.

Plus, all running systems and software application must constantly depend on date and covered to prevent being jeopardized by a common vulnerability and to release security services at every level of the business infrastructure.

In the case of the Laplas Clipper, as it modifies the content of the clipboard by changing one cryptocurrency wallet for another, it is highly encouraged to always check that the result from a copy/paste operation of a wallet is the exact same one as the preliminary one.

Another security idea is to make regular information backups, with backups remaining offline, so that it is still possible to go back to excellent information when ransomware has actually hit the infrastructure.

Disclosure: I work for Pattern Micro, however the views expressed in this article are mine.

Read next: Security awareness and training policy (TechRepublic Premium)


Leave a Reply

Your email address will not be published. Required fields are marked *