skip to Main Content

Cybercrime, Sodinokibi attackers leverage Cobalt Strike and scan for POS

Symantec cyber security experts: Sodinokibi attackers leverage Cobalt Strike and scan for POS. A ransomware campaign exploits both malware to earn big profits from large-multinational companies

Sodinokibi (aka REvil, Sodin) threat is evolving. It has been discovered by Symantec cyber security experts who spotted a targeted ransomware campaign in which the attackers are also scanning the networks of some victims for credit card or point of sale (PoS) software. It is not clear if the cybercrime actors are targeting this software for encryption or because they want to scrape this information as a way to make even more money from this attack. Moreover, they are using the Cobalt Strike commodity malware to deliver Sodinokibi to victims. Eight organizations were hit by the malicious, with three of them subsequently infected with the ransomware. The companies were primarily large, even multinational, likely targeted because the attackers believed they would be willing to pay a large ransom to recover access to their systems. In fact, they asked $50,000 in Monero cryptocurrency if paid within the first three hours, and $100,000 after.

The cybercrime gang used also legitimate tools

According the cyber security experts, the cybercrime actors leveraged legitimate tools in this campaign, and at one point a legitimate remote admin client tool by NetSupport Ltd to install components during these attacks. They also exploited ‘legitimate’ infrastructure to store their payload and for their command and control (C&C) server. The attackers are using code-hosting service Pastebin to host their payload (the Cobalt Strike malware and Sodinokibi) and Amazon’s CloudFront service for their C&C infrastructure, to communicate with victim machines. Once on a network, the threat actor takes various steps to reduce the chance he will be detected and to increase the chances of the attack working. He attempts to disable any security software on the machine so the activity can’t be detected. He also enable remote desktop connections to use them to launch malicious commands.

Back To Top