Learn how to protect your business and employees from the Laplas Clipper malware and the MortalKombat ransomware.
New offensive efforts against the United States have been started by an unidentified threat actor. with two malware families: MortalKombat ransomware and Laplas Clipper. We go into great detail about the operation of these malware campaigns and how to safeguard your business.
How These Cybersecurity Attacks Are Executed
This attack campaign as described by Cisco Talos starts with a phishing email (Figure A) that impersonates A reliable cryptocurrency payment processor is CoinPayments. The article’s content is very succinct and describes a Bitcoin payment that was canceled because of a time-out issue. The attached file, a ZIP archive containing a malicious BAT loader script, seems to assume that only users conducting Bitcoin transactions would open it.
Figure A
Once executed, the loader downloads another ZIP file from a server belonging to the attackers’ infrastructure, whose content might be MortalKombat ransomware or Laplas Clipper malware (Figure B).
Figure B
According to Chetan Raghuprasad of Cisco Talos, the MortalKombat ransomware was first uncovered in January 2023. This 32-bit Windows executable file, once executed, copies itself into the local user profile’s temporary folder before dropping an image file that will be loaded as the victims’ wallpaper (Figure C).
Figure C
The ransomware specifically targets a long list of file extensions for encryption. The corresponding file is encrypted each time there is a match. The ransomware also searches for connected logical drives and repeatedly looks in all folders for the same file extensions, encrypting more files as it finds them.
In each folder where files are encrypted, the same ransom note file is created, and all encrypted files receive new file extensions.
The same file extension is also being used to rename files in the recycle bin folder.
The MortalKombat ransomware and the much older Xorist ransomware, which first appeared in 2010 and has been widely used to produce ransomware variants, were both found to share similarities by a Cisco Talos researcher. Markers for the Xorist ransomware are found in the source code of the MortalKombat ransomware, including the ClassName string X0r157 and a specific Alcmeter registry key string. Talos’ more thorough code analysis gave them high confidence that the MortalKombat ransomware is a member of the same family as Xorist.
What is Laplas Clipper Malware?
Earlier versions of the malware, such as VB.NET-written versions, were used before the Cisco Talos-discovered Laplas Clipper malware was created in the Go programming language.
The malware’s embedded encrypted strings are decrypted during the first phase of execution. The malware copies itself onto the system and establishes persistence before scanning the users’ clipboards for cryptocurrency wallet addresses. The C2 server will send any cryptocurrency wallets found in the clipboard a replacement wallet controlled by the attacker.
The malware is aware of the following cryptocurrencies: Dash, Bitcoin, Bitcoin Cash, Zcash, Litecoin, Ethereum, Dogecoin, Monero, Ripple, Tezos, Ronin, Tron, Cardano, and Cosmos.
The malware is advertised on cybercriminals’ underground marketplaces (Figure D) and sold as a service for $59 per month, according to Labs for Intelligence and Research Cyble.
Figure D
Unaware victims believe they are making a cryptocurrency payment without any issues as a result of the infection, but they are actually being scammed, and their transaction amount is sent to an attacker-controlled wallet.
U.S. is the Main Target for This Security Threat
As stated by Cisco Talos, the U.S. is the primary target of this attack campaign., followed by the U.K., Turkey and the Philippines (Figure E).
Figure E
Although there is no information provided about the recipients of the targeted phishing emails, it is reasonable to assume that they are most likely coming from users who deal with cryptocurrencies.
How to Protect Your Business from MortalKombat and Laplas Malware
Instead of vulnerabilities, social engineering is what causes the initial infection. All employees should receive regular security training and advice on how to avoid falling for social engineering-driven infections, particularly through emails, to increase awareness.
Additionally, it’s important to keep all operating systems and software patched and up to date in order to avoid falling victim to a known vulnerability and to implement security measures across the board for the corporate infrastructure.
In the case of the Laplas Clipper, as it alters the content of the clipboard by replacing one cryptocurrency wallet for another, it is strongly advised to always check that the result from a copy/paste operation of a wallet is the exact same one as the initial one.
To ensure that it is still possible to restore to good data when ransomware has affected the infrastructure, make regular data backups that remain offline.