Analysis of Elpaco: a Mimic variant


In a recent incident response case, Kaspersky dealt with a variant of the Mimic ransomware with some interesting customization features.

The attackers were able to connect via RDP to the victim’s server after a successful brute force attack and then launch the ransomware. After that, the adversary was able to elevate their privileges by exploiting the CVE-2020-1472 vulnerability (Zerologon). The identified variant abuses the Everything library and provides an easy-to-use GUI for the attacker to customize the operations performed by the malware. It also has features for disabling security mechanisms and running system commands. This ransomware variant is named “Elpaco” and contains files with extensions under the same name. In this post, Kaspersky researchers provide details about Elpaco, besides already shared, as well the tactics, techniques and procedures (TTPs) employed by the attackers.

Read more…
Source: Kaspersky


Sign up for our Newsletter


Related:

  • MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks

    December 5, 2024

    Trend Micro researchers have been continuously monitoring the MOONSHINE exploit kit’s activity since 2019. During our research, they discovered a MOONSHINE exploit kit server with improper operational security: Its server exposed MOONSHINE’s toolkits and operation logs, which revealed the information of possible victims and the attack tactics of a threat actor we have named Earth ...

  • Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware

    December 4, 2024

    Beginning in early October, Rapid7 has observed a resurgence of activity related to the ongoing social engineering campaign being conducted by Black Basta ransomware operators. Rapid7 initially reported the discovery of the novel social engineering campaign back in May, 2024, followed by an update in August 2024, when the operators updated their tactics and malware payloads ...

  • Ireland: Woman, 20s, arrested over potential data breach at utility service provider

    December 4, 2024

    A woman has been arrested over a potential data breach at a national utility service provider last year. The woman, aged in her 20s, was arrested yesterday and is detained at a garda station in Dublin. The potential breach was identified by members of the Garda National Cyber Crime Bureau in 2023. It was referred to ...

  • UK: Ransomware hackers target NHS hospitals with new cyberattacks

    December 4, 2024

    Ransomware hackers have continued an assault on National Health Service trusts across the United Kingdom by compromising multiple hospitals, exposing sensitive patient data and disrupting emergency services. Inc Ransom, a prolific Russia-linked ransomware group that claimed responsibility for an attack on NHS Scotland earlier this year, now claims to have breached the Alder Hey Children’s Hospital ...

  • Foreign espionage agencies exploit crowdsourcing for covert intelligence gathering in China

    December 4, 2024

    China’s Ministry of State Security revealed on Wednesday that foreign intelligence agencies are using crowdsourcing to gather sensitive data in China, posing a covert but serious threat to national security. This covert method, dubbed “crowdsourced espionage,” poses an escalating threat. Foreign intelligence agencies break down intelligence-gathering missions into smaller, discrete tasks and distribute them via legitimate ...

  • AI chatbot provider exposes 346,000 customer files, including ID documents, resumes, and medical records

    December 3, 2024

    Researchers have discovered a huge Google Cloud Storage bucket, found freely accessible on the internet and containing a treasure trove of personal information. AI startup WotNot provides companies with the ability to create their own customized chatbot. The company reportedly has 3,000 customers including some household family names. But the way its solution is set up ...