As ransomware attacks against critical infrastructure continue to spike in recent months, cybersecurity researchers have uncovered a new entrant that has been actively trying to conduct multistage attacks on large corporate networks of medical labs, banks, manufacturers, and software developers in Russia.
The ransomware gang, codenamed “OldGremlin” and believed to be a Russian-speaking threat actor, has been linked to a series of campaigns at least since March, including a successful attack against a clinical diagnostics laboratory that occurred last month on August 11.
“The group has targeted only Russian companies so far, which was typical for many Russian-speaking adversaries, such as Silence and Cobalt, at the beginning of their criminal path,” Singaporean cybersecurity firm Group-IB said in a report published today and shared with The Hacker News.
“Using Russia as a testing ground, these groups then switched to other geographies to distance themselves from vicious actions of the victim country’s police and decrease the chances of ending behind the bars.”
OldGremlin’s modus operandi involves using custom backdoors — such as TinyNode and TinyPosh to download additional payloads — with the ultimate goal of encrypting files in the infected system using TinyCryptor ransomware (aka decr1pt) and holding it hostage for about $50,000.
In addition, the operators gained an initial foothold on the network using a phishing email sent on behalf of Russia’s RBC Group, a Moscow-based major media group, with “Invoice” in the subject line.
The message informed the recipient of their inability to contact the victim’s colleague with regards to an urgent bill payment along with a malicious link to pay the bill that, when clicked, downloaded the TinyNode malware.
Upon finding their way in, the bad actor used remote access to the infected computer, leveraging it to laterally move across the network via Cobalt Strike and gather authentication data of the domain administrator.
In a different variant of the attack observed in March and April, the cybercriminals were found using COVID-themed phishing lures to financial enterprises that masqueraded as a Russian microfinance organization to deliver the TinyPosh Trojan.
Subsequently, a separate wave of the campaign was detected on August 19, when the cybercriminals sent out spear-phishing messages exploiting the ongoing protests in Belarus decrying the government, proving once again that threat actors are adept at capitalizing world events to their advantage.
In all, OldGremlin has been behind nine campaigns between May and August, according to Group-IB.
“What distinguishes OldGremlin from other Russian-speaking threat actors is their fearlessness to work in Russia,” Oleg Skulkin, a senior digital forensics analyst at Group-IB, said.
“This indicates that the attackers are either fine-tuning their techniques benefiting from home advantage before going global, as it was the case with Silence and Cobalt, or they are representatives of some of Russia’s neighbors who have a strong command of Russian.”