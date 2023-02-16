



February 15, 2023Ravie Lakshmanan

A new financially motivated campaign that began in December 2022 saw the unidentified threat actor behind it deploy a new strain of ransomware dubbed mortal combat and a clipper malware known as Laplas. Cisco Talos said he “observed the actor scanning the Internet for victim machines with exposed Remote Desktop Protocol (RDP) port 3389”. The attacks, according to the cybersecurity firm, are mostly focused on individuals, small businesses and large organizations located in the United States and, to a lesser extent, the United Kingdom, Turkey and the Philippines. The starting point that triggers the multi-step attack chain is a phishing email containing a malicious ZIP file that is used as a path to deliver either the clipper or the ransomware. In addition to using cryptocurrency-themed email lures impersonating CoinPayments, the threat actor is also known to erase infection markers in an attempt to cover their tracks. MortalKombat, first detected in January 2023, is capable of encrypting system, application, backup and virtual machine files in the compromised system. It further corrupts Windows Explorer, disables Run command window and removes applications and folders from Windows startup. An analysis of the ransomware source code reveals that it is part of the Xorist family of ransomware, said Chetan Raghuprasad, researcher at Cisco Talos. The Laplas clipper is a Golang variant of the malware that was revealed in November 2022. It is designed to monitor the clipboard for any cryptocurrency wallet address and replace it with an actor-controlled wallet to perform fraudulent transactions . “The clipper reads the contents of the victim machine’s clipboard and executes a function to perform a regular expression pattern match to detect the cryptocurrency wallet address,” Raghuprasad explained. “When a cryptocurrency wallet address is identified, the clipper sends the wallet address back to the clipper bot. In response, the clipper receives an attacker-controlled wallet address similar to the victim’s and overwrites the wallet address. ‘original cryptocurrency wallet address to clipboard.’ Did you find this article interesting ? follow us on Twitter  And LinkedIn to read more exclusive content that we publish.

