New ransomware actor OldGremlin uses custom malware to hit top organisations

A new ransomware group has been targeting large corporate networks using self-made backdoors and file-encrypting malware for the initial and final stages of the attack.

Researchers are tracking the gang using the codename OldGremlin. Their campaigns appear to have started in late March and have not expanded globally, yet.

Attacks attributed to this group have been identified only in Russia but there is a strong suspicion that OldGremlin is currently operating at smaller scale to fine-tune their tools and techniques before going global.

OldGremlin is using custom backdoors (TinyPosh and TinyNode) and ransomware (TinyCrypt, a.k.a decr1pt) along with third-party software for reconnaissance and lateral movement (Cobalt Strike, command line screenshot, NirSoft’s Mail PassView for email password recovery).

The gang is not picky about victims as long they are prominent businesses in Russia (medical labs, banks, manufacturers, software developers), indicating that it’s composed of Russian-speaking members.

The threat actor starts its attacks with spear phishing emails that deliver custom tools for initial access. They use valid names for the sender address, impersonating well-known individuals.

Researchers at Singapore-based cybersecurity company Group-IB says that in one attack against a bank OldGremlin sent out an email under the pretense of setting up an interview with a journalist at a popular business newspaper.

The fake journalist scheduled an appointment using a calendar app and then contacted the victim with a link to alleged interview questions hosted at an online storage service. Clicking on the link downloaded the TinyPosh backdoor.

Full article on https://www.bleepingcomputer.com/news/security/new-ransomware-actor-oldgremlin-uses-custom-malware-to-hit-top-orgs/

#ransomware #oldgremlin #russia backdoor #mindyourdata #yokdata