A Russian-speaking ransomware group likely targeted an entity in Europe or Central America’s gambling and gaming industry. They repurposed tools created by APT groups such as Iran’s MuddyWater. This new research suggests.
The unusual attack chain involved the abuse of stolen credentials to gain unauthorized access to the victim network, ultimately leading to the deployment of Cobalt Strike payloads on compromised assets, said Felipe Duarte and Ido Naor, researchers at Israeli incident response firm Security Joes, in a report published last week.
Although the infection was stopped at this point, researchers identified the compromised system as an attack by ransomware.
The intrusion is said to have taken place in February 2022, with the attackers making use of post-exploitation tools such as ADFind, NetScan, SoftPerfect, and LaZagne. Also employed is an AccountRestore executable to brute-force administrator credentials and a forked version of a reverse tunneling tool called Ligolo.
Called Sockbot, the modified variant is a Golang binary that’s designed to expose internal assets from a compromised network to the internet in a stealthy and secure manner. Modifications to the malware have removed the requirement to enter command-line parameters. There are also several execution checks that prevent multiple instances.
Given that Ligolo is a primary tool of choice for the Iranian nation-state group MuddyWater, the use of a Ligolo fork has raised the possibility that the attackers are taking tools used by other groups and incorporating their own signatures in a probable attempt to confuse attribution.
The links to Russian-speaking ransomware groups are derived from artifact overlaps between common ransomware toolskits. One of the binaries deployed (AccountRestore), contains Russian-language references.
“The strategy used by threat actors to access and pivot over the victim’s infrastructure lets us see a persistent, sophisticated enemy with some programming skills, red teaming experience and a clear objective in mind, which is far from the regular script kiddie profile,” the researchers said.
“The fact that the entry point for this intrusion was a set of compromised credentials reassures the importance of applying additional access controls for all the different assets in any organization. “