Newly emergent threat operation Crypto Ghouls has targeted Russian government, finance, mining, energy, and retail organizations' Windows and VMware ESXi/Linux systems with attacks deploying LockBit 3.0 and Babuk ransomware strains, respectively, reports The Hacker News.
Initial access in a pair of intrusions part of the attack campaign involved Crypto Ghouls utilizing a VPN and a contractor's login credentials, followed by the exploitation of NSSM and Localtonet for remote access, according to a report from Kaspersky. Additional malicious activity was then facilitated by Crypto Ghouls through the delivery of the XenAllPasswordPro, Mimikatz, MiniDump, PingCastle, PAExec, and AnyDesk tools, as well as the CobInt backdoor, dumper.ps1, and cmd.exe. Such tools have been previously observed in attacks by other Russia-targeting threat groups, including BlackJack, MorLock, Shedding Zmiy, and Twelve. "The shared toolkit used in attacks on Russia makes it challenging to pinpoint the specific hacktivist groups involved... This suggests that the current actors are not only sharing knowledge but also their toolkits. All of this only makes it more difficult to identify specific malicious actors behind the wave of attacks directed at Russian organizations," said Kaspersky researchers.
