OldGremlin Ransomware Gang Targets Russia with New Malware
OldGremlin, a little-known threat actor that uses its particularly advanced skills to run carefully prepared, sporadic campaigns, has made a comeback last month after a gap of more than one year.
The group distinguishes itself from other ransomware operations through the small number of campaigns – less than five since early 2021 – that target only businesses in Russia and the use of custom backdoors built in-house.
Despite being less active, which may suggest that the ransomware business is closer to moonlighting, OldGremlin has demanded ransoms as high as $3 million from one of its victims.
Carefully prepared phishing
The most recent OldGremlin activity consists of two phishing campaigns launched towards the end of March 2022. It is too early to assess how many companies were targeted but security researchers say that at least one Russian company in the mining sector is on the victim list.
The adversary did not steer away from its previously observed tactic to obtain initial access and took advantage of trending news topics.
Security researchers at Singapore-based cybersecurity company Group-IB say that this time OldGremlin impersonated a senior accountant at a Russian financial organization warning that the recent sanctions imposed on Russia would suspend the operations of the Visa and Mastercard payment processing systems.
Hello, We, at [masked], have received reliable information about new sanctions in the next couple of days. The Visa/Mastercard payment system will be shut down completely. All cards issued in our country will no longer work. Everyone must therefore urgently issue [masked] cards and link them to their bank payroll. Use the following instructions [hyperlink] for the following banks: [masked] Fill out the form (see attachment) and send it back, making sure to specify the bank branch at which it is convenient for you to pick up the bank card. Remember that if you want to link a card to a payroll, you must inform the accounting department of the account details after receiving the card. Please sign and send the form to our email address within 5 (five) hours from the moment you receive this email. For the purposes of efficiency, please send it in this email thread chain. [masked], Senior Accountant at [masked]
New custom backdoor
The email pointed the recipient to a malicious document stored in a Dropbox storage that downloads a backdoor called TinyFluff, which launches the Node.js interpreter and gives the attacker remote access to the target system.
TinyFluff is a new variant of an older backdoor, TinyNode, the gang used in past attacks. The image below shows the infection chains from the two OldGremlin campaigns this year on March 22 and March 25:
Group-IB researchers discovered two variants of TinyFluff, an earlier one that is more complex and a newer, simplified version that copies the script and the Node.js interpreter from its storage location at 192.248.176[.]138.
“We believe that the first, more complex, version of TinyFluff was raw. That’s why the gang simplified the tool so they could use it on the fly. However, they will most likely improve it for further attacks” – Group-IB Threat Intelligence team
Both variants of the backdoor are currently detected by more than 20 antivirus engines on the Virus Total scanning platform.
In a report shared with BleepingComputer, Group-IB provides indicators of compromise and a detailed technical analysis of the tools OldGremlin used in the two phishing campaigns deployed last month.
After planting the backdoor, OldGremlin proceeds to the reconnaissance stage, checking if the application is running in a test environment.
The commands for this stage of the attack are delivered in clear text, allowing the researchers to examine them using a traffic sniffer
- collecting information about the infected system/device
- obtaining information about connected drives
- launching the cmd.exe shell, executing a command, and sending the output to the command and control server (C2)
- obtaining information about the plugins installed in the system
- getting information about files in the specific directories on the system drive
- terminating the Node.js interpreter
OldGremlin can spend months inside the compromised network before deploying the final stage of the attack: delivering TinyCrypt/TinyCryptor, the group’s custom ransomware payload.
Just like with ransomware attacks from other gangs, the victim gets a ransom note that provides a contact to reach the threat actor for payment negotiations.
Group-IB told BleepingComputer that OldGremlin encrypted at least three companies since the researchers started tracking the gang in 2020.
Although this number is insignificant in comparison with attacks from other ransomware gangs, the researchers note that OldGremlin spends all year reaping the benefits of the few campaigns they launch.
In 2021, the gang deployed only one phishing campaign but it was enough to keep them busy the entire year as it provided initial access to the network of multiple businesses.
Group-IB says that it’s just a matter of time for a larger number of OldGremlin’s victims, apart from the targeted Russian mining company, to be uncovered this year as a result of the group’s March phishing activity.
Based on the evidence they found and after analyzing the quality of the phishing emails and the decoy documents, the researchers assess that OldGremlin has Russian-speaking members.
They described the knowledge the group has of the Russian landscape as “astonishing.”
By focusing only on Russian companies (banks, industrial enterprises, medical organizations, and software developers), OldGremlin breaks the unspoken rule of not attacking entities in the Russian territories.
Group-IB’s report on the recent OldGremlin campaigns, including technical analysis of the attacks and indicators of compromised is available on the company’s website.