A nascent risk actor often called Crypt Ghouls has been linked to a set of cyber assaults concentrating on Russian companies and authorities companies with ransomware with the dual targets of disrupting enterprise operations and monetary acquire.
“The group under review has a toolkit that includes utilities such as Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec, and others,” Kaspersky mentioned. “As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.”
Victims of the malicious assaults span authorities companies, in addition to mining, power, finance, and retail firms situated in Russia.
The Russian cybersecurity vendor mentioned it was capable of pinpoint the preliminary intrusion vector in solely two cases, with the risk actors leveraging a contractor’s login credentials to hook up with the inner programs by way of VPN.
The VPN connections are mentioned to have originated from IP addresses related to a Russian internet hosting supplier’s community and a contractor’s community, indicating an try to fly underneath the radar by weaponizing trusted relationships. It is believed that the contractor networks are breached by way of VPN providers or unpatched safety flaws.
The preliminary entry part is succeeded by means of NSSM and Localtonet utilities to keep up distant entry, with follow-on exploitation facilitated by instruments reminiscent of follows –
- XenAllPasswordPro to reap authentication knowledge
- CobInt backdoor
- Mimikatz to extract victims’ credentials
- dumper.ps1 to dump Kerberos tickets from the LSA cache
- MiniDump to extract login credentials from the reminiscence of lsass.exe
- cmd.exe to repeat credentials saved in Google Chrome and Microsoft Edge browsers
- PingCastle for community reconnaissance
- PAExec to run distant instructions
- AnyDesk and resocks SOCKS5 proxy for distant entry
The assaults finish with the encryption of system knowledge utilizing publicly out there variations of LockBit 3.0 for Home windows and Babuk for Linux/ESXi, whereas additionally taking steps to encrypt knowledge current within the Recycle Bin to inhibit restoration.
“The attackers leave a ransom note with a link containing their ID in the Session messaging service for future contact,” Kaspersky mentioned. “They would connect to the ESXi server via SSH, upload Babuk, and initiate the encryption process for the files within the virtual machines.”
Crypt Ghouls’ alternative of instruments and infrastructure in these assaults overlaps with comparable campaigns performed by different teams concentrating on Russia in latest months, together with MorLock, BlackJack, Twelve, Shedding Zmiy (aka ExCobalt)
“Cybercriminals are leveraging compromised credentials, often belonging to subcontractors, and popular open-source tools,” the corporate mentioned. “The shared toolkit used in attacks on Russia makes it challenging to pinpoint the specific hacktivist groups involved.”
“This suggests that the current actors are not only sharing knowledge but also their toolkits. All of this only makes it more difficult to identify specific malicious actors behind the wave of attacks directed at Russian organizations.”