OldGremlin

OldGremlin is a threat actor specializing in compromising corporate entities' servers and encrypting their files for ransoms. This group uses highly-sophisticated social engineering lures that can include convincing, industry-specific details, and a back-and-forth messaging focus over weeks or months. Businesses should continue protecting their servers with appropriate backup practices and security protocols and have their anti-malware products isolate and remove threats from OldGremlin as soon as possible.

The Little Monster Fiddling with Hardware

The gremlin of modern folklore owes itself to Britain's air force members' imagination, but a new group of hackers with the name is practicing on Russian victims. OldGremlin is an exceptionally bold threat actor for its demographics targeting, belying any potential danger that it might take on from attacking 'local' businesses. Most criminals with Russian connections conduct their crimes by focusing outside national borders, but OldGremlin is the exception to that normally almost-ironclad rule.

OldGremlin targets well-financed corporate entities in Russia without discrimination between industries and does so by sending elaborate phishing lures. These e-mail tactics include references to the target company's clientele and services, employee names, and appropriately-fluent linguistics. Long-term attempts at tricking victim employees may go up to dozens of e-mail responses, but with the overall goal of getting the recipient's click on a disguised, unsafe link or download.

Payloads from this group begin with custom backdoors and third-party tools for providing the attackers with access to the computer and the rest of the business's internal network. OldGremlin is one of many abusers of the Cobalt Strike's threat 'emulation' software and brings their in-house tools into play, including TinyNode and TinyPosh – two backdoor Trojans. Further, overt action may not come for weeks.

The last step in OldGremlin's campaigns involves deleting the victim company's backups and encrypting their files, using, again, a custom-made file-locker Trojan. Although malware experts can confirm cases of tens of thousands of dollars in cryptocurrency, the ransoms are potentially flexible.

Containing Russian Trojans Before They Get Out of Hand

Samples of the phishing material from OldGremlin's attacks infer that some of the group's members are fluent with Russia's language and highly-familiar with the major corporations within that country. Although this recklessness might lead to Russian law enforcement's hostility, it's also possible that the threat actor is basing itself in an adjacent region or has some other source of familiarity with Russia's business landscape. All known attacks occur inside that country, but OldGremlin could expand its operations worldwide with little difficulty and enormous profit potential.

Phishing lures from OldGremlin may boast a level of intricacy of craftsmanship, usually, only part of Advanced Persistent Threat-style, government-sponsored attacks. Like much smaller actors, too, OldGremlin uses headline-news events (such as the Coronavirus epidemic) as parts of their themes for compromising employees seeking to stay up-to-date on the latest guidelines and news. Fake calendar software appointments, fictitious security vendor authentication, and Bit.ly shortened Web links are examples of some of the many tactics this group uses.

Tried-and-true anti-malware services should catch and delete most threats associated with OldGremlin attacks. However, there is a likelihood that they may not do so in time to block a payload, and workers believing themselves compromised should be mindful of appropriate recovery procedures, such as changing passwords for endangered accounts.

Tens of thousands of dollars are in danger in the average case of an OldGremlin attack. It's lamentable that the companies most capable of protecting themselves from such a smooth-talking burglar also have servers with the most irresistible incentive for robbery, but such is the nature of cyber-security.