A new ransomware group has been targeting large corporate networks using self-made backdoors and file-encrypting malware for the initial and final stages of the attack.

Researchers are tracking the gang using the codename OldGremlin. Their campaigns appear to have started in late March and have not expanded globally, yet.

Attacks attributed to this group have been identified only in Russia but there is a strong suspicion that OldGremlin is currently operating at smaller scale to fine-tune their tools and techniques before going global.

Custom tools, imaginative phishing

OldGremlin is using custom backdoors (TinyPosh and TinyNode) and ransomware (TinyCrypt, a.k.a decr1pt) along with third-party software for reconnaissance and lateral movement (Cobalt Strike, command line screenshot, NirSoft’s Mail PassView for email password recovery).

The gang is not picky about victims as long they are prominent businesses in Russia (medical labs, banks, manufacturers, software developers), indicating that it’s composed of Russian-speaking members.

The threat actor starts its attacks with spear phishing emails that deliver custom tools for initial access. They use valid names for the sender address, impersonating well-known individuals.

Researchers at Singapore-based cybersecurity company Group-IB says that in one attack against a bank OldGremlin sent out an email under the pretense of setting up an interview with a journalist at a popular business newspaper.

The fake journalist scheduled an appointment using a calendar app and then contacted the victim with a link to alleged interview questions hosted at an online storage service. Clicking on the link downloaded the TinyPosh backdoor.

For another attack targeting a clinical laboratory, the actor impersonated RosBiznesConsulting (RBC), a major media holding company in Russia, that had trouble paying for medical services.

They seem to be well-versed in social engineering and take advantage of current events to make their phishing more credible.

For instance, on August 19 they posed as the CEO of the Minsk Tractor Works informing Russian partners that the company was being investigated for participation in anti-government protests in Belarus and asking them for documents required by the prosecutor’s office.

https://csirt.cy/wp-content/uploads/2020/09/OldGremlin-Phish-GIB-300x169.jpg 300w, https://csirt.cy/wp-content/uploads/2020/09/OldGremlin-Phish-GIB-1024x576.jpg 1024w, https://csirt.cy/wp-content/uploads/2020/09/OldGremlin-Phish-GIB-768x432.jpg 768w" alt="" width="975" height="549" class="wp-image-7005 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />

It is worth mentioning that the name used for the sender’s address is not of the factory’s actual CEO. At least 50 messages were sent in this campaign.

The aim is to gain a foothold on the target organization’s network via one of the two backdoors (TinyNode or TinyPosh) that allow expanding the attack via additional modules downloaded from their command and control (C2) server. Remote Desktop Protocol is also used to jump to other systems on the network.

After spending some time on the network identifying valuable systems, the attacker deploys the file-encrypting routine. In the case of the medical laboratory, the attacker obtained domain administrator credentials and created a fallback account with the same elevated privileges to maintain persistence in case the initial one was blocked.

OldGremlin moved to the encryption stage a few weeks after the initial access, deleting server backups and locking hundreds of computers on the corporate network.

The ransom note left behind asked close to $50,000 in cryptocurrency for the decryption key and provided a Proton email address for contact.

In total, Group-IB detected multiple attacks attributed to OldGremlin between May and August 2020, all against targets in Russia, Group-IB said.

https://csirt.cy/wp-content/uploads/2020/09/oldgremlin_attacks-300x169.jpg 300w, https://csirt.cy/wp-content/uploads/2020/09/oldgremlin_attacks-1024x576.jpg 1024w, https://csirt.cy/wp-content/uploads/2020/09/oldgremlin_attacks-768x432.jpg 768w" alt="" width="904" height="509" class="wp-image-7007 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />

This tactic sets the group apart from other threat actors and was previously seen with financially-motivated groups Silence and Cobalt, which also ran smaller operations in Russia and before moving to targets outside country borders and beyond the former Soviet space.

Typically, Russian hackers avoid attacking organizations in Russia and former Soviet countries. Several big-game ransomware groups and threat actors are adamant about this.

Skulkin says that OldGremlin is the only Russian-speaking ransomware actor to ignore this rule and that their tactics and techniques are similar to those from advanced hacking groups.

In their blog post today, Group-IB provides a list with indicators of compromise for OldGremlin along with details about the tactics, techniques, and procedures below observed in attacks attributed to this new group.

https://csirt.cy/wp-content/uploads/2020/09/OldGremlinTTPs-GIB-300x169.jpg 300w, https://csirt.cy/wp-content/uploads/2020/09/OldGremlinTTPs-GIB-1024x575.jpg 1024w, https://csirt.cy/wp-content/uploads/2020/09/OldGremlinTTPs-GIB-768x432.jpg 768w" alt="" width="934" height="525" class="wp-image-7009 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />

The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.