A new cybercriminal group called OldGremlin has been targeting Russian companies – including banks, industrial enterprises and medical firms – with ransomware attacks.
OldGremlin relies on a bevy of tools, including custom backdoors called TinyPosh and TinyNode, to gain an initial foothold in the organization. It also uses tricky spear-phishing emails that utilize constantly evolving lures — from false coronavirus pandemic recommendations to fake requests for media interviews. And, the Russian-speaking cybercriminal group targets other Russian organizations, which researchers say is a big no-no within the Russian hacker community.
Researchers first discovered the group in August, when it targeted a large, unnamed medical company with a spear-phishing email purporting to be sent by the media holding company RBC. Instead, the email was an attack vector for OldGremlin to encrypt the company’s entire corporate network and demand a $50,000 ransom.
“According to Group-IB expert estimations, since the spring, OldGremlin has conducted at least seven phishing campaigns,” said researchers with Group-IB in a Wednesday post. “The hackers have impersonated the self-regulatory organization Mikrofinansirovaniye i Razvitiye (SRO MiR); a Russian metallurgical holding company; the Belarusian plant Minsk Tractor Works; a dental clinic; and the media holding company RBC.”
Attack Vector
The attack against the medical company is what put OldGremlin on researchers’ radar. In that case, the threat group sent targets a spear-phishing email with an attached ZIP archive, with the subject “Bill due” and purporting to be the finance department of RBC. Once the victim clicked on the .ZIP archive, a unique custom malware called TinyNode was used. TinyNode is a backdoor that downloads and launches additional malware.
“After the executable file was run for just 20 seconds, Windows Defender detected and deleted the malware,” said researchers. “Yet these 20 seconds were enough for the trojan to achieve persistence in the infected system. The victim failed to notice anything.”
After gaining remote access to the victim’s computer, the threat actors performed network reconnaissance, collected valuable data and propagated across the network, also utilizing the Cobalt Strike framework to make sure that any post-exploitation activity was as effective as possible.
“After the attackers conducted reconnaissance and made sure that they were in the domain that interested them, they continued to move laterally across the network, eventually obtaining domain administrator credentials,” said researchers. “They even created an additional account with the same privileges in case the main one was blocked.”
A few weeks after the initial attack, OldGremlin then wiped the organization’s backups, spreading TinyCryptor across hundreds of computers on the corporate network, with a ransom note demanding $50,000 in cryptocurrency in exchange for a decryption key.
OldGremlin History
Researchers said that OldGremlin’s first activities began between late March and early April. The group took advantage of the COVID-19 pandemic in early lures (a common theme for ransomware strains during this time period, as seen with the [F]Unicorn ransomware), sending financial institutions purported recommendations on how to organize a safe working environment during the pandemic, and impersonating the self-regulatory organization Mikrofinansirovaniye i Razvitiye (SRO MiR).
But OldGremlin has also constantly switched up its spear-phishing lures over time to mimic various organizations — from a Russian dental clinic to the Russian microfinance organization Edinstvo. The group has also commonly mimicked RBC in several campaigns. One spear-phishing email, for instance, purported to be sent by a Russian RBC journalist, who invited targets to take part in the “Nationwide survey of the banking and financial sectors during the coronavirus pandemic.” In later email exchanges, the attackers asked victims to click on a link, which then resulted in a custom trojan developed by the cybercriminals, TinyPosh, being downloaded to the victim’s computer.
Timeline of OldGremlin’s ransomware attacks. Credit: Group-IB
More recently, the group ramped up its activities in August after a short hiatus on August 13 and 14, sending around 250 malicious emails targeting Russian companies in the financial and industrial sectors. These campaigns also mimicked a journalist with the RBC group and a nickel-producing company.
Of note, OldGremlin appears to be made up of Russian speakers and yet is actively targeting Russian companies – which researchers said is a big transgression among the Russian underground.
“OldGremlin is the only Russian-speaking ransomware operator that violates the unspoken rule about not working within Russia and post-Soviet countries,” said Oleg Skulkin, senior digital forensics analyst at Group-IB. “They carry out multistage targeted attacks on Russian companies and banks using sophisticated tactics and techniques similar to those employed by APT groups.”
