The Resurgence of OldGremlin: A Cyber Threat Reawakens

August 16, 2024, 5:23 am
Node.js
Node.js
DevelopmentMobilePlatformSoftwareWeb
Location: United States, California, San Francisco
Employees: 1-10
Founded date: 2009
In the shadows of the digital world, a familiar specter has returned. The OldGremlin ransomware group, once a formidable force in cybercrime, is back in action. From 2020 to 2022, they wreaked havoc on Russian companies, demanding ransoms that soared into the millions. In one notorious incident, they demanded a staggering 1 billion rubles. After a period of dormancy, they have resurfaced, bringing with them new tactics and tools that threaten to disrupt the digital landscape once again.

The cyber world is a battlefield. OldGremlin has proven to be a relentless adversary. Their attacks are like a storm, sudden and devastating. They were notably inactive since September 2022, leaving many to wonder if they had been silenced for good. However, the recent analysis by F.A.C.C.T. reveals that the group is far from finished. Their latest weapon? A new tool dubbed OldGremlin.JsDownloader.

The resurgence began with a seemingly innocuous email. Analysts discovered a message sent from a compromised account at “Диадок,” a legitimate company. The email, disguised as a notification, contained a link that promised important documents. But lurking behind this façade was a malicious payload. This is a classic tactic in the cybercriminal playbook—deception wrapped in legitimacy.

The email was sent on August 12, 2024, to an employee of a major Russian petrochemical company. The sender, using the name Olga Makарова, appeared credible. The domain used, @diadok[.]net, mimicked the real domain of the company, diadoc[.]ru. This is a hallmark of OldGremlin’s strategy—exploiting trust to gain access.

Clicking the link initiated a chain reaction. It led to the download of a ZIP file masquerading as an invoice. Inside was a shortcut file that, when executed, connected to a WebDAV server. This server, a remote file management system, became the launchpad for further attacks. The command executed on the victim's machine was a call to a Node.js interpreter, a tool that would facilitate the next phase of the attack.

WebDAV is not just a tool; it’s a double-edged sword. While it allows for collaborative file management, it can also be weaponized by cybercriminals. OldGremlin has a history of using WebDAV in their operations, making this latest attack a familiar pattern. The downloaded Node.js file, an older version, was a red flag. OldGremlin has consistently relied on Node.js interpreters in their attacks, signaling a return to their roots.

The malicious script, once executed, would connect to a command and control (C2) server. This server is the puppet master, orchestrating the attack. The script, OldGremlin.JsDownloader, is designed to fetch and execute arbitrary JavaScript code. This is where the real danger lies. The script operates in stealth, waiting for instructions from the C2 server.

Upon execution, the script sends a random 32-byte data set to the server. This data is a breadcrumb, a signal that the victim is online. The server responds with a signature, a key to unlock the next phase of the attack. If the signature checks out, the downloader awaits further instructions. This is a chilling reminder of how sophisticated modern cyber threats have become.

The encryption used in this attack is equally concerning. OldGremlin employs RC4, a stream cipher that has been around for decades. While it’s not the most secure method, its simplicity makes it appealing for quick attacks. The key for decryption is derived from the earlier data set, creating a cycle of dependency that keeps the victim ensnared.

Indicators of compromise (IoCs) have been identified, providing a roadmap for defenders. The filenames, hashes, and domains used in this attack are crucial for detection and prevention. For instance, the malicious ZIP file named "schet-faktura-090824.zip" and its associated hashes are now part of the cybersecurity lexicon. These details are vital for organizations to bolster their defenses against this renewed threat.

The return of OldGremlin is a wake-up call. Cybersecurity is a constantly evolving landscape. Threats morph and adapt, and what was once dormant can resurface with a vengeance. Organizations must remain vigilant, continuously updating their defenses and educating their employees about the dangers lurking in their inboxes.

In conclusion, the resurgence of OldGremlin serves as a stark reminder of the persistent nature of cyber threats. The digital realm is a chessboard, and every move counts. As long as there are vulnerabilities, there will be those who seek to exploit them. The battle against cybercrime is far from over. Organizations must fortify their defenses, stay informed, and prepare for the next wave of attacks. The storm may have returned, but with vigilance and preparation, it can be weathered.