A new ransomware group has been targeting large corporate networks using self-made backdoors and file-encrypting malware for the initial and final stages of the attack. Codename OldGremlin is used for the group. Security experts suspect that OldGremlin is currently operating at smaller scale to fine-tune their tools and techniques before going global. OldGremlin is using custom backdoors (TinyPosh and TinyNode) and ransomware (TinyCrypt, a.k.a decr1pt) along with third-party software for reconnaissance and lateral movement (Cobalt Strike, command line screenshot, NirSoft’s Mail PassView for email password recovery). The group has so far targeted medical labs, banks, manufacturers, software developers, etc.
The threat actor starts its attacks with spear phishing emails that deliver custom tools for initial access. They use valid names for the sender address, impersonating well-known individuals. The emails contain links that download the TinyPosh backdoor. The aim is to gain a foothold on the target organization’s network via one of the two backdoors (TinyNode or TinyPosh) that allow expanding the attack via additional modules downloaded from their command and control (C2) server. Remote Desktop Protocol is also used to jump to other systems on the network. After spending some time on the network identifying valuable systems, the attacker deploys the file-encrypting routine. In the case of a medical laboratory, the attacker obtained domain administrator credentials and created a fallback account with the same elevated privileges to maintain persistence in case the initial one was blocked. OldGremlin moved to the encryption stage a few weeks after the initial access, deleting server backups and locking hundreds of computers on the corporate network. The ransom note left behind asked close to $50,000 in cryptocurrency for the decryption key and provided a Proton email address for contact.