Russian Ransomware Gang Rebuilds Other APT Groups Custom Hacking Tools.

According to Felipe Duarte and Ido Naor ( researchers at Israeli incident response firm Security Joes) , the unusual attack chain involved the use of stolen credentials to gain unauthorised access to the user  network leading to the deployment of Cobalt Strike payloads on compromised assets.

A Russian-speaking ransomware group likely targeted an unnamed entity in the gambling and gaming sector in Europe and Central America by repurposing custom tools developed by other APT groups such as Iran’s MuddyWater.

The intrusion is said to have occurred in February 2022 with the attackers employing post-exploitation tools like ADFind, NetScan, SoftPerfect and LaZagne. An Account Restore executable is also used to brute-force administrator credentials  is a version of the Ligolo reverse tunnelling tool.

Ligolo is a primary tool of choice for the Iranian nation-state group MuddyWater, the use of a Ligolo fork raises the possibility that the attackers are taking tools used by other groups and adding their own signatures in an attempt to confuse attribution.

The modified variant, dubbed Sockbot, is a Golang binary designed to expose internal assets from a compromised network to the internet in a stealthy and secure manner. The malware has been modified to eliminate the need for command-line parameters and to include several execution checks to avoid running multiple instances.

Artifact overlaps with common ransomware toolkits result in links to a Russian-speaking ransomware group. Furthermore, one of the deployed binaries (AccountRestore) includes hard-coded Russian references.

Finally the researchers concluded that ,” The strategy used by threat actors to gain access to and pivot over the victim’s infrastructure allows us to see a persistent advanced enemy with some programming skills, red teaming experience and a clear goal in mind, which is far from the typical script kiddie profile. The fact that the entry point for this intrusion was a set of compromised credentials reaffirms the importance of implementing additional access controls for all the various assets in any organisation.”

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin