The cyber-criminal group Old Gremlin has tormented firms with ransomware, sent via spear phishing emails with COVID-19 lures, since this March.
But now, Old Gremlin has been targeting Russian companies; including banks, industrial enterprises & medical firms, with ransomware attacks.
Old Gremlin relies on a big toolbox, including custom backdoors called TinyPosh & Tiny Node, to gain an initial way-in to an organisation. It also uses tricky spear-phishing emails that utilise constantly evolving lures, from false coronavirus pandemic recommendations to fake requests for media interviews. The Russian-speaking group targets other Russian organisations, which researchers say is a big taboo within the Russian hacker ‘community’.
Researchers 1st discovered the group in Aug., when it targeted a large, unnamed medical company with a spear-phishing email purporting to be sent by the media holding company RBC. Instead, the email was an attack from Old Gremlin to encrypt the company’s entire corporate network & demand a $50,000 ransom!
“According to Group-IB expert estimations, since the Spring, Old Gremlin has conducted at least 7 phishing campaigns,” observed researchers with Group-IB in a Wed. post.
“The hackers have impersonated the self-regulatory organisation Mikrofinansirovaniye i Razvitiye (SRO MiR); a Russian metallurgical holding company; the Belarusian plant Minsk Tractor Works; a dental clinic; & the media holding company RBC.”
The attack against the medical company is what put Old Gremlin on to researchers’ ‘radar’. In that case, the group sent targets a spear-phishing email with an attached ZIP archive, with the subject “Bill due” & purporting to be the finance department of RBC.
When the victim clicked on the .ZIP archive, a unique custom malware called Tiny Node was deployed. Tiny Node is a ‘backdoor’ that downloads & launches additional malware.
“After the executable file was run for just 20 secs, Windows Defender detected & deleted the malware,” explained researchers. “Yet these 20 secs were enough for the trojan to achieve persistence in the infected system. The victim failed to notice anything.”
After gaining remote access to the victim’s computer, the threat players performed network reconnaissance, collected valuable data & propagated across the network, also utilising the Cobalt Strike framework to ensure that any post-exploitation activity was maximised.
“After the attackers conducted reconnaissance & made sure that they were in the domain that interested them, they continued to move laterally across the network, eventually obtaining domain administrator credentials,” outlined researchers. “They even created an additional account with the same privileges in case the main one was blocked.”
A few weeks later, Old Gremlin then wiped the organisation’s backups, spreading Tiny Cryptor across hundreds of computers on the corporate network, with a ransom note demanding $50,000 in cryptocurrency, in exchange for a decryption key.
Old Gremlin History
Researchers observed that Old Gremlin’s 1st activities began between late March & early April.
The group took advantage of the COVID-19 pandemic in early lures (a usual theme for ransomware strains at this time, as seen with the [F]Unicorn ransomware), sending financial institutions purported recommendations on how to organise a safe working environment during the pandemic, & impersonating the self-regulatory organisation Mikrofinansirovaniye i Razvitiye (SRO MiR).
But, Old Gremlin has also constantly switched up its spear-phishing lures over time to mimic various organisations, from a Russian dental clinic to the Russian microfinance organisation Edinstvo. The group has also commonly imitated RBC in several campaigns.
One spear-phishing email, for example, purported to be sent by a Russian RBC journalist, who invited targets to take part in the “Nationwide survey of the banking & financial sectors during the Coronavirus pandemic.”
In later email exchanges, the attackers asked victims to click on a link, which then resulted in a custom trojan developed by the cyber-criminals, TinyPosh, being downloaded to the victim’s computer.
More recently, the group ramped up its activities in Aug., after a short break, on Aug. 13 & 14, sending around 250 malicious emails targeting Russian companies in the financial & industrial sectors. These campaigns also imitated a journalist with the RBC group & a nickel-producing company.
Old Gremlin seems to be made up of Russian speakers, & yet is actively targeting Russian companies, which researchers said is a ‘big transgression’ among the Russian underground.
“Old Gremlin is the only Russian-speaking ransomware operator that violates the unspoken rule about not working within Russia & post-Soviet countries,” commented Oleg Skulkin, Senior Digital Forensics Analyst at Group-IB. “They carry out multi-stage targeted attacks on Russian companies & banks, using sophisticated tactics & techniques similar to those employed by APT groups.”