Hackers in a new money-motivated campaign are using a variant of the basic Xortist ransomware named “MortalKombat”, as well as the Laplas clipper in cyberattacks.

Both malware infections are used to conduct financial frauds, with ransomware being used to extort victims into receiving a decryptor and Laplas to steal cryptocurrency by hijacking crypto transactions.

Laplas is a cryptocurrency hacker released last year which monitors the Windows clipboard for cryptographic addresses and, when found, replaces them with addresses under the control of the attacker.

As for Mortal Kombat, Cisco Talos says the new ransomware is based on the core Xorist ransomware family, which uses a builder that allows hackers to customize the malware. Xorist was decipherable for free since 2016.

The attacks observed by Talos researchers have mainly focused on the United States, with some victims also in the United Kingdom, Turkey and the Philippines.

Phishing attacks

The email contains a malicious ZIP attachment containing a BAT loader script that downloads a second archive from a remote resource. This archive contains one of two malware payloads.

The upload script will run the uploaded payload as a process in the compromised system and then delete the uploaded files to minimize the risk of detection.

The email message contains a malicious ZIP attachment containing a BAT loader script which, when opened, downloads a second archive from a remote resource. This archive contains one of two malware payloads.

The upload script will run the uploaded payload as a process in the compromised system and then delete the uploaded files to minimize the risk of detection.

MortalKombat ransomware

MortalKombat is a Xorist ransomware variant first discovered in January 2023, named after the popular fighting video game and featuring a ransom note/wallpaper that includes art from the franchise.

Talos analysts report that the particular ransomware is not very sophisticated as it will also target system files and applications, which are usually avoided to prevent the system from becoming unstable.

“Talos observed that MortalKombat encrypts various files on the victim machine’s file system, such as system, application, database, backup, and virtual machine files, as well as files on mapped remote locations as logical drives in the victim’s machine,” the report describes. .

“It drops the ransom note and changes the wallpaper of the victim machine during the encryption process.”

The wallpaper also acts as a ransom note, instructing the victim to use the qTOX-based instant messaging application Tor to negotiate with cybercriminals who demand payment in Bitcoin.

The attacker also provides a ProtonMail email address if the victim has trouble registering a new account on qTOX.

Although MortalKombat does not offer wipe functionality, it corrupts system folders like Recycle Bin so victims cannot recover files from there, disables Windows Run command window, and removes all entries from Windows startup. Windows.

Additionally, the ransomware plays with the Windows registry, creating a Run (“Alcmeter”) registry key for persistence while deleting the root registry key of the installed application in the HKEY_CLASSES_ROOT registry hive.

The HKEY_CLASSES_ROOT hive stores information about file associations, commands, and icons used for each file type, so deleting these entries means applications can no longer function.

Cisco analysts don’t know what the operating model of MortalKombat ransomware is, and whether it’s a lone threat actor’s custom strain or sold to other cybercriminals like Laplas.