OldGremlin is the name given to a new hacker group whose operations were discovered by cybersecurity experts. So far, OldGremlin's activities have been localized relatively, targeting Russian organizations only. With the hackers belonging to OldGremlin appearing to know fluent Russian, it appears that they are not adhering to the rule that even other bigger hacker groups follow - not to target Russian or Post-Soviet countries. One explanation could be that OldGremlin is leveraging their significant knowledge about Russia's current affairs to better position their spear-phishing attempts to succeed, while also fine-tuning their attack methods and malware tools.
OldGremlin Quickly Adapt Current Events for Phishing Attacks
Indeed, in the several threatening campaigns that have been detected, the group has displayed considerable knowledge and have leveraged advanced social-engineering tactics to gain a foothold within the targeted companies. In the first campaign attributed to the group, OldGremlin targeted a large medical organization by sending a phishing email in which they impersonated the media holding company RBC. When COVID-19 filled in the news cycle, the hackers switched their tactics and began sending emails that supposedly were from the organization Mikrofinansirovaniye i Razvitiye (SRO MiR) and contained fake instruction on how to generate a safe work environment in the midst of the pandemic. The same phishing method was used once again, but, this time, the criminals impersonated the dental clinic Novadent.
When the protests in Belarus began, OldGremlin was quick to take advantage of the new situation. The hackers rapidly crafted a new series of phishing emails, this time pretending to be sent by the CEO of Minsk Tractor Works (MTZ). The name used for the emails was either 'Alesya Vladimirovna' or 'A.V. Volokhina', which are fake personalities, while the real CEO of the company is named Vitaly Vovk. In the emails that OldGremlin disseminated to various Russian financial organizations, the hackers posing as MTZ, claimed that they were under inspection from a prosecutor due to taking part in the protest allegedly. They asked the targeted companies to provide additional documents. In the process, the internal networks of the companies were compromised.
OldGremilin Employ a Mix of Self-Developed Malware Tools Alongside Third-Party Software
Following a successful phishing attack, OldGremlin establishes a foothold within the company's network by installing either one of two custom-created pieces of backdoor malware called TinyNode and TinyPosh. TinyPosh, for example, is capable of achieving persistence within the system, escalating the privileges of the account from which it was executed, and is capable of launching the Cobalt Strike Beacon payload. To hide the real C&C address, the hackers used the Cloudflare Workers server. According to Group-IB's experts, to hide the Command-and-Control servers used for the campaigns, OldGremlin employed the Cloudflare Workers server. As for TinyNode, it is used to download and execute additional malware modules primarily.
Once inside, the hackers start to move through the compromised network laterally to search for specific targets. To ensure that their actions leave a limited imprint, they use the Cobalt Strike framework. In the attack campaign against the medical organization, OldGremlin lurked through the network for weeks until it obtained the domain administrator credentials. After that, the hackers deleted all the systems' backups and deployed a custom ransomware threat called TinyCryptor (a.k.a TinyCrypt/TInyCryptor/Decr1pt Ransomware). For this particular campaign, the criminals demanded payment of $50 000 in cryptocurrency and used a ProtonMail address for contact.
Custom Tools and Creative Phishing
OldGremlin stands out because of its use of custom-made backdoors and ransomware. Their backdoors include TinyNode and TinyPosh. The ransomware they use is TinyCrypt, also known as decr1pt. The group also uses some third-party software to reconnaissance and lateral movement, including Cobalt Strike, Mail PassView, and taking screenshots of the command line.
Another notable thing about the group is that it doesn’t have any preferences when it comes to targets. Any prominent business from Russia, including banks, manufacturers, and medical labs, is fair game. This would suggest that the group consists of Russian members or, at the very least, people who speak Russian.
OldGremlin attacks begin with spear-phishing emails. The emails deliver a custom tool to gain access to a system. The emails are written using the names of well-known people to better trick victims.
Researchers say that OldGremlin infiltrated the network at a bank by pretending to arrange an interview with a business newspaper.
The “journalist” arranged an appointment with a calendar app and sent an email to the bank, complete with a link to the supposed interview questions, which were hosted on a cloud storage platform. The link instead downloaded the TinyPosh backdoor on to the target computer.
The group also targeted a clinical laboratory. For this attack, the group pretended to represent the Russian media holding company RosBiznessConsulting (RBC), who recently made the news for being unable to pay for medical services.
OldGremlin has clearly put work into mastering the art of social engineering. They are also adept at using current events to their advantage to improve the credibility of social engineering attacks.
Another example released by researchers at Group-IB showed the hackers pretending to be the CEO of the Minsk Tractor Works. The email claimed the company was investigated for participating in anti-government protests in Belarus and, as a result, needed documents to give to the prosecutor’s office.
The email in question, shown below, didn’t use the actual address for the CEO. The group sent out at least fifty messages to targets for this campaign.
The social engineering helps the group get a foothold on the network through the TinyPosh and TinyNode backdoors. Once they have a foot in the door, the backdoors download modules from the command and control (C2) server to take the attack to another level. They also use remote Desktop Protocol to jump between systems on the network and attack the network as a whole.
OldGremlin will sit on a network for a while and identify the most valuable systems before deploying the encryption routine. For the attack on the medical laboratory, the attackers obtained domain administrator credentials to create a fallback account with elevated privileges to use if the initial hacked account was blocked.
The group waited a few weeks before going ahead with the encryption stage, removing backups from the server, and locking down hundreds of networked computers in the process. The ransom note demanded nearly $50,000 of cryptocurrency for the decryption key. The message included a Protonmail address where the attackers could be contacted.
Group-IB noted several attacks between May and August. All of the attacks were against Russian targets, according to the researchers.
Attacking Russian targets like this sets them apart from other Russian hacking groups, who primarily avoid targeting corporations in Russia and other former Soviet countries. It’s something of an unwritten rule for Russian hackers.
Group-IB believes the group is acting like this to refine their techniques before moving on to bigger targets. This approach has been seen with other groups such as Cobalt and Silence. It is also possible that the group is operating out of a neighboring country with strong connections to Russia.