A new attack campaign launched by an unknown threat actor targets the U.S. with two malware families: MortalKombat ransomware and Laplas Clipper. We detail how these malware campaigns are executed and how to keep your business safe. This attack campaign as described by Cisco Talos starts with a phishing email (Figure A) that impersonates CoinPayments, a legitimate cryptocurrency payment gateway. The content is very brief, describing a payment in Bitcoin that has been canceled due to a time-out problem. It seems reasonable to believe only people making transactions in Bitcoin would open the attached file, which is a ZIP archive file containing a malicious BAT loader script. Once executed, the loader downloads another ZIP file from a server belonging to the attackers’ infrastructure, whose content might be MortalKombat ransomware or Laplas Clipper malware. According to Cisco Talos researcher Chetan Raghuprasad, MortalKombat ransomware was first observed in January 2023. This 32-bit Windows executable file, once executed, copies itself into the local user profile’s temporary folder before dropping an image file that will be loaded as the victims’ wallpaper.
Full report : Cryptocurrency users in the US hit by ransomware and Clipper malware.