A nascent threat actor is known as Crypt Ghouls was linked to a series of cyberattacks targeting Russian businesses and government agencies using ransomware with the dual purpose of disrupting business operations and financial gain.
“The group in question has a set of tools that includes utilities such as Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec and others,” Kaspersky said. said. “The group used the well-known LockBit 3.0 and Babuk ransomware as their final payload.”
Victims of malicious attacks were state institutions, as well as mining, energy, financial and retail companies located in Russia.
The Russian cybersecurity vendor said it was only able to pinpoint the original penetration vector in two cases where threat actors used contractor credentials to connect to internal systems via VPN.
The VPN connections are said to have originated from IP addresses associated with the Russian hosting provider’s network and the contractor’s network, indicating an attempt to fly under the radar by exploiting a relationship of trust. The contractor’s networks are believed to be compromised through VPN services or unpatched security flaws.
The initial access step is replaced by the use of NSSM and Localtonet utilities to maintain remote access, with subsequent use facilitated by the following tools:
- XenAllPasswordPro to collect authentication data
- Cobint backdoor
- Mimic to get the victims credentials
- dumper.ps1 to dump Kerberos tickets from the LSA cache
- MiniDump to extract credentials from lsass.exe memory
- cmd.exe to copy credentials stored in Google Chrome and Microsoft Edge browsers
- PingCastle for network intelligence
- PAExec to execute remote commands
- AnyDesk and carrying SOCKS5 proxy for remote access
Attacks end by encrypting system data using the publicly available versions of LockBit 3.0 for Windows and Babuk for Linux/ESXi, and steps are taken to encrypt data in the recycle bin to prevent recovery.
“Attackers leave a ransom note with a link containing their ID in the Session messaging service for future contact,” Kaspersky said. “They connected to the ESXi server via SSH, loaded Babuk, and initiated the process of encrypting files in the virtual machines.”
Crypt Ghouls’ choice of tools and infrastructure in these attacks is consistent with similar campaigns by other groups targeting Russia in recent months, including Morlock, Blackjack, twelve, Shedding Zmiy (aka ExCobalt)
“Cybercriminals use compromised credentials, often owned by subcontractors, and popular open source tools,” the company said. “The common set of tools used in the attacks against Russia makes it difficult to identify specific hacker groups.”
“This shows that the current members are not only sharing their knowledge, but also their tools. All this only complicates the identification of specific attackers who are behind the wave of attacks on Russian organizations.”
