Russian Hackers are Reusing Ransomware Hacking Tools Created by APT Groups
Table of Contents
- By Websites Admin
- Published: Mar 18, 2022
- Last Updated: Feb 27, 2025
A ransomware hacking collective that speaks Russian is zeroing in on gaming and gambling businesses with repurposed ransomware tools initially developed by APT groups. Here is a quick look at how this creative attack was devised and is now being implemented.
When Did the Attack First Originate?
Though digital security specialists are unsure when the original APT groups developed the hacking tools that are now being manipulated, the identities of those originators are known. APT groups, including the likes of MuddyWater, created the tools. MuddyWater is a hacking collective based in Israel.
Where Are the Targets Located?
The Russian ransomware hackers have narrowed their focus on gambling businesses and gaming specialists throughout Central America and Europe.
How is the Attack Performed?
This idiosyncratic ransomware attack is centered on abusing stolen user credentials to obtain access to a target’s network. Such unauthorized access sets the stage for Cobalt Strike payloads to be transmitted onto breached assets. The attack details were revealed last week in a digital security report published by cyber security researchers with Security Joes, an incident specialist based in Israel.
As of the time of this publication, the infection has not been contained. However, the digital forensics specialists taking a deep dive into the attack are quickly developing an understanding of its nuances. The hackers use post-exploitation tools ranging from SoftPerfect to NetScan, LaZagne, and ADFind to launch the attack. These digital miscreants are also using an AccountRestore executable to override safeguards preventing access to administrator credentials.
The cybercriminals are also implementing Ligolo in the attack. Ligolo is a forked reverse tool for digital tunneling. Ligolo is the primary tool used in the attacks launched by the MuddyWater hacking collective referenced above. Implementing the Ligolo fork has heightened the chances of the digital miscreants manipulating other hacking tools created by outside groups and implementing their unique signatures to generate confusion as to which party is actually responsible for the infiltration.
The overlap with a ransomware group that speaks Russian makes it appear as though the attack is the result of a traditional ransomware toolkit. It is clear the hackers behind this digital attack have advanced programming skills along with red teaming expertise.
What is Sockbot’s Role in the Attack?
The attack also uses a modified variant referred to as Sockbot. Sockbot is best described as a Golang binary created to expose a breached network’s internal assets to the web discretely. The alterations made to the malware eliminate the need for command-line parameters. The changes also include multiple execution checks to prevent the use of multiple instances in coordination with one another.
When Did the Attack Begin?
The retooled customized hack began in February of 2022. However, the digital forensics team analyzing the attack did not specify the exact date when the attack began.
What is the Best Line of Defense Against the Hack?
The intrusion’s entry point consists of compromised credentials. Therefore, it is in the interest of all computer users to implement access controls for additional protection. The use of internet privacy and security tools will also help mitigate the threat.
