A new group of cybercriminals called OldGremlin has been targeting Russian companies, including banks, industrial companies, and medical companies, with ransomware attacks. OldGremlin relies on a host of tools, including custom back doors called TinyPosh and TinyNode, to gain an initial foothold in the organization.
Attackers insert their hacking tools into networks via malware downloaded via phishing emails, then encrypt the files and demand them as ransom for around $ 50,000, at the moment this group has only targeted Russian companies up to now.
Investigators first discovered the group in August when they targeted a large, unnamed medical company with a phishing email that was allegedly sent by media holding company RBC, and the attackers are believed to be not Russian as it is rare that the attackers are not Russian. A Russian-speaking ransomware group is targeting targets within Russia, but there are precedents, according to Group-IB senior digital forensic analyst Oleg Skulkin, who identified the Silence and Cobalt hacking groups as previous perpetrators.
The attack on the medical company is what put OldGremlin on the investigators’ radar. In that case, the threat group sent the targets a spoofing email with a ZIP file attached, with the subject “Invoice Pending” and pretending to be RBC’s finance department. Once the victim clicked on the .ZIP file, a unique custom malware called TinyNode was used.
After the executable file ran for just 20 seconds, Windows Defender detected and removed the malware, the researchers said. However, these 20 seconds were enough for the Trojan to achieve persistence on the infected system, and thus the victim does not realize it.
In addition to RBC, OldGremlin has mimicked a variety of entities in its spearphishing emails, including Russian microfinance organizations MIR and Edinstvo, a dental clinic, a law office, and a Belarus Tractor Works plant. At the moment no more information on this group has been released but we will see what happens in the future, also this gives us an idea of what criminals can do, so it is always essential to take measures and be cautious when it comes to to open or enter suspicious places.
Other reads:
FIN7, a dangerous group of hackers
Why cybercriminals made attacks on these sectors?
