Security News > 2022 > March > Russian Ransomware Gang Retool Custom Hacking Tools of Other APT Groups
A Russian-speaking ransomware outfit likely targeted an unnamed entity in the gambling and gaming sector in Europe and Central America by repurposing custom tools developed by other APT groups like Iran's MuddyWater, new research has found.
The unusual attack chain involved the abuse of stolen credentials to gain unauthorized access to the victim network, ultimately leading to the deployment of Cobalt Strike payloads on compromised assets, said Felipe Duarte and Ido Naor, researchers at Israeli incident response firm Security Joes, in a report published last week.
Although the infection was contained at this stage, the researchers characterized the compromise as a case of a suspected ransomware attack.
The intrusion is said to have taken place in February 2022, with the attackers making use of post-exploitation tools such as ADFind, NetScan, SoftPerfect, and LaZagne.
Given that Ligolo is a primary tool of choice for the Iranian nation-state group MuddyWater, the use of a Ligolo fork has raised the possibility that the attackers are taking tools used by other groups and incorporating their own signatures in a probable attempt to confuse attribution.
The links to a Russian-speaking ransomware group come from artifact overlaps with common ransomware toolkits.
News URL
https://thehackernews.com/2022/03/russian-ransomware-gang-retool-custom.html
Related news
- Russian suspected Phobos ransomware admin extradited to US over $16M extortion (source)
- Wanted Russian Hacker Linked to Hive and LockBit Ransomware Arrested (source)
- UK disrupts Russian money laundering networks used by ransomware (source)
- US sanctions Chinese firm for hacking firewalls in ransomware attacks (source)
- Researchers Uncover Espionage Tactics of China-Based APT Groups in Southeast Asia (source)
- US charges Russian-Israeli as suspected LockBit ransomware coder (source)