Gremlins Attack Russia – Again
OldGremlin Launched New Hacking Campaign
The Vladimir Putin government has another problem to worry about, not only the failing war it has launched on the peaceful country of Ukraine. But an old enemy of the Russian empire has recently been detected launching targeted and deliberate attacks to deceive its citizens.
OldGremlin is back in the spotlight. The nightmare dark web hacking group that employs exceptionally advanced abilities to undertake meticulously planned, occasional devastating hacking campaigns, made a reappearance last month after more than a year hiatus.
With targeted and often successful hacks, the hacking gang separates from other ransomware operations by launching limited hacking campaigns – just under five since early 2021 – However, this group of dark web hackers targets primarily Russian firms through its proprietary developed in-house backdoors.
Orchestrated Phishing Campaigns
Although their campaigns seem to be less active, which may indicate that perhaps the ransomware enterprise is more of a side hustle, OldGremlin has sought $3 million in ransom from one of its victims.
With the use of its new custom-made backdoor, the dark web hackers’ email phishing campaigns usually direct unsuspecting victims to a harmful file hosted in Dropbox. Once on the site, the malicious link downloads the TinyFluff backdoor that runs the Node. Next, the OldGremlin hackers gain unauthorized access to a specific machine via the js interpreter.
TinyFluff is a modified version of TinyNode, which is an older backdoor that has been linked to the dangerous threat actors in previous cyber security attacks. Several cyber analysts that research the hacking group depict the changes in the 2022 OldGremlin’s phishing campaigns detected from March 22 through March 25.
New Virus Infection Chains
The most current OldGremlin hacking operation comprised of multiple phishing attacks that were initiated somewhere at end of March 2022. So far, the Russian organizations targeted are unknown, but security experts estimated that the OldGloblin has a Russian mining company in its crosshairs.
Group-IB, a Singapore-based cyber security firm, says its professionals recorded that the perpetrator did not deviate from its renowned strategy of exploiting popular news topics to gain early access. One such time, OldGremlin impersonated a senior accounting consultant in a Russian financial organization, warning that the latest sanctions placed on Russia will cause the Visa and Mastercard payment computing systems to cease operations.
Cyber research analysts attached to the Group-IB security firm revealed they have uncovered two variations of TinyFluff: an older, more sophisticated version, and a simplified newer version that transfers the payload and the Node.js interpreter from its cache address at 192.248.176[.]138.
In addition, the researchers stated that the more complicated edition of TinyFluff was streamlined by the dark web hackers for more easily launched phishing attacks. With their eyes set on the current Russian war against Ukraine, it was theorized that the hacking group will most likely strengthen its hacking software for near future attacks.
Also, according to the Threat Intelligence Group-IB, their analytics shows that OldGremlin trends on comprehensive virus detection websites. Confirmed reports recorded that over 20 antivirus programs have discovered both forms of the in-house backdoor, equipped to launch malicious malware created by the dangerous OldGremlin hackers.