OldGremlin Ransomware Group Resumes Attacks on Russian Companies
According to analysts at Group-IB, the Russian-speaking ransomware group OldGremlin has returned after a long break and is once again targeting Russian companies. Researchers remind us that, until recently, Russian-speaking ransomware groups had an unwritten rule: “don’t work in RU,” meaning they would not target Russian companies. Those who broke this rule were few, and OldGremlin was among them.
Since the spring of 2020, when Group-IB Threat Intelligence first uncovered the “gremlins,” the hackers have actively attacked Russian businesses, including banks, industrial enterprises, medical organizations, and software developers. In less than two years, the hackers carried out 13 malicious email campaigns, which is the first stage of their attacks and determines their success.
The most active year for the group was 2020, with 10 phishing campaigns allegedly sent on behalf of organizations such as the Union of Microfinance Organizations, a Russian metallurgical holding, the Belarusian MTZ plant, a dental clinic, and the media holding RBC. In 2021, OldGremlin conducted only one mass mailing, in February, but it was so successful that it “fed” the hackers for the entire year. Several months later, when responding to incidents at Russian companies, Group-IB specialists found that the initial entry point was that February campaign. Last year, OldGremlin also set a record for greed in Russia, demanding a ransom of 250,000,000 rubles from one victim.
Recent Attacks and Tactics
Now, at the end of March 2022, OldGremlin has resurfaced with two new malicious email campaigns. As in previous attacks, the group bombarded Russian companies with emails, using current news topics to make their messages more convincing. The hackers exploited the themes of sanctions and the “complete withdrawal” of Visa and Mastercard payment systems. The emails were sent on behalf of a senior accountant at a Russian financial organization, offering clients instructions and a form to fill out for a new bank card. In reality, the emails contained links to a malicious document hosted on Dropbox.
This document led to the victim’s machine being infected with the TinyFluff (“Pushok”) malware. This tool is a direct successor to the unique custom backdoor TinyNode, which the group previously used as a loader to download and run malicious scripts. TinyFluff’s purpose is to launch a Node.js interpreter on the infected device and provide remote access to it.
OldGremlin is meticulous in preparing phishing emails and closely follows current events. Previous campaigns have used topics such as remote work during the pandemic, Belarusian protests, or interview offers from real financial journalists at well-known publications.
Advanced Attack Techniques
OldGremlin’s signature style includes multi-stage targeted attacks with complex tactics and techniques similar to those used by APT groups. For example, instead of sending their TinyCryptor ransomware directly in an email, they would first gain remote access to the victim’s machine, conduct reconnaissance, collect data, and then move laterally within the organization’s network.
The Group-IB report also notes that on March 25, OldGremlin conducted another email campaign, this time using a simpler toolkit. Experts believe this is because the final script used in the previous attack was not fully ready for widespread use and required further testing and new features. Unfortunately, OldGremlin will likely refine the script and use it in future attacks.
Based on the appearance of the lure documents, it is assumed that the second campaign was sent on behalf of the company “Consultant Plus.” However, experts have not yet found the actual email samples, though they were able to reconstruct the second attack during their analysis of the group’s network infrastructure. In this case, the payload was also TinyFluff.
Technical Details of the Latest Attacks
“Unlike the file in the March 22 campaign, this version does not have a built-in script and does not download the Node.js interpreter from the official website. Instead, the application copies both the script and the interpreter from its current location, that is, from the network drive 192.248.176[.]138. The final executable script is much simpler than the previous version. It lacks DGA (the C2 server is specified as IP address 46.101.113[.]161) and data encryption. In fact, all the trojan’s interactions with the C2 server could be viewed with a standard sniffer. We managed to obtain several JS commands that were executed on the infected device. All of them were intended to gather information about the device, including executing CMD commands,” the Group-IB report states.
The report provides a detailed overview of OldGremlin’s toolkit and warns that the new phishing campaigns may have infected a large number of companies. In the coming months, the attackers are expected to move slowly and carefully through their victims’ infrastructures, bypassing default security systems.