Security News > 2022 > March > Russian Ransomware Gang Retool Custom Hacking Tools of Other APT Groups
A Russian-speaking ransomware outfit likely targeted an unnamed entity in the gambling and gaming sector in Europe and Central America by repurposing custom tools developed by other APT groups like Iran's MuddyWater, new research has found.
The unusual attack chain involved the abuse of stolen credentials to gain unauthorized access to the victim network, ultimately leading to the deployment of Cobalt Strike payloads on compromised assets, said Felipe Duarte and Ido Naor, researchers at Israeli incident response firm Security Joes, in a report published last week.
Although the infection was contained at this stage, the researchers characterized the compromise as a case of a suspected ransomware attack.
The intrusion is said to have taken place in February 2022, with the attackers making use of post-exploitation tools such as ADFind, NetScan, SoftPerfect, and LaZagne.
Given that Ligolo is a primary tool of choice for the Iranian nation-state group MuddyWater, the use of a Ligolo fork has raised the possibility that the attackers are taking tools used by other groups and incorporating their own signatures in a probable attempt to confuse attribution.
The links to a Russian-speaking ransomware group come from artifact overlaps with common ransomware toolkits.
News URL
https://thehackernews.com/2022/03/russian-ransomware-gang-retool-custom.html
Related news
- Cyberattack Group 'Awaken Likho' Targets Russian Government with Advanced Tools (source)
- GoldenJackal APT group breaches air-gapped systems in Europe (source)
- Crypt Ghouls Targets Russian Firms with LockBit 3.0 and Babuk Ransomware Attacks (source)
- Four REvil Ransomware Members Sentenced in Rare Russian Cybercrime Convictions (source)
- Russian suspected Phobos ransomware admin extradited to US over $16M extortion (source)