Threat actors are brutalizing their victims’ finances in a Mortal Kombat-themed ransomware campaign.
According to cybersecurity researchers at Cisco’s Talos Intelligence Group, this financially-motivated threat campaign began in December 2022 and is still ongoing. The campaign’s kill chain starts with phishing emails impersonating the legitimate cryptocurrency payment gateway CoinPayments. The emails falsely inform recipients that CoinPayments never received sufficient funds to complete scheduled transactions, prompting recipients to download, extract, and open an attached file presented as an invoice.
The file in question is a batch file that executes a malicious script. The researchers have found two different versions of this batch file: one that downloads and executes the MortalKombat ransomware and one that downloads and executes the Laplas Clipper malware. The latter malware is a clipboard stealer, but, rather than simply exfiltrating everything copied to victims’ clipboards, the malware quietly monitors the clipboards of infected systems for cryptocurrency wallet addresses.
