GlobeImposter ransomware is being distributed by MedusaLocker actors, with evidence suggesting the RDP vector facilitates initial access. The operation deploys Mimikatz and port scanners among other tools to map networks, exfiltrate credentials, and extend the attack inside targets. Hashtags: #GlobeImposter #MedusaLocker #Mimikatz #RDP
Keypoints
- MedusaLocker actors are actively distributing GlobeImposter, likely via RDP as an attack vector.
- Installation of additional tools (Port Scanner, Mimikatz, netpass, and networkshare_pre2.exe) accompanies GlobeImposter to survey and exploit internal networks.
- Credential dumping with Mimikatz (sekurlsa::logonpasswords) enables lateral movement within domain environments.
- GlobeImposter uses RunOnce persistence, encrypts files with AES and RSA, and stores keys in a structured, detectable manner, including a ransom note (how_to_back_files.html).
- Some cases merge GlobeImposter with MedusaLocker, reinforcing the link between the actors and their shared attack patterns (RDP as vector).
- Coin mining (XMRig) is used alongside encryption in some campaigns, indicating resource hijacking as an auxiliary objective.
MITRE Techniques
- [T1021.001] Remote Services – RDP – The threat actors use RDP as an attack vector: “Threat actors who use RDP (Remote Desktop Protocol) as an attack vector generally scan for systems where RDP is active and allows external access… Threat actors can use the obtained account credentials to log in to the system through RDP.”
- [T1003] Credential Dumping – Mimikatz usage to obtain credentials: “The sekurlsa::logonpasswords command outputs every verifiable account credential currently stored on the system memory.”
- [T1135] Network Share Discovery – Shared folder scanner present in the toolkit to identify accessible network shares.
- [T1046] Network Service Scanning – Port scanners (advanced_port_scanner.exe, advanced_port_scanner_2.5.3869.exe) used to map the network.
- [T1547.001] Boot or Logon Autostart Execution – Registry Run Keys/Startup Folder – GlobeImposter persistence via RunOnce: “To maintain persistence, GlobeImposter first copies itself into the %LOCALAPPDATA% path before registering itself to the RunOnce key…”
- [T1496] Resource Hijacking – XMRig cryptocurrency mining alongside ransomware: “There are some cases where the threat actor would also install an XMRig CoinMiner… Miners.exe” and mining details (pool, username, password).
- [T1490] Inhibit System Recovery – Removing volume shadow copies to hinder recovery: “batch file… deleting volume shadow copies and logs.” and related mention of removing VSS.
- [T1070.001] Clear Windows Event Logs – Deletion of logs to erase traces: “Deletes event logs” (and RDP logs) as part of the cleanup process.
- [T1134] Inhibit System Recovery (shadow copies) – Removals related to shadow copies to prevent recovery from encryption.
Indicators of Compromise
- [MD5] GlobeImposter Ransomware (ols.exe) and MedusaLocker Ransomware (olm.exe) – 715ddf490dbaf7d67780e44448e21ca1, 646698572afbbf24f50ec5681feb2db7, and 2 more hashes
- [MD5] CoinMiner (Miners.exe) – 70f87b7d3aedcd50c9e1c79054e026bd, and 2 more hashes
- [MD5] NetPass (1).exe – f627c30429d967082cdcf634aa735410
- [MD5] Shared folder scanner (networkshare_pre2.exe) – 597de376b1f80c06d501415dd973dcec
- [MD5] Port scanner (advanced_port_scanner.exe) – 4fdabe571b66ceec3448939bfb3ffcd1
- [MD5] Mimikatz components (mimik.exe, mimilib.dll, mimispool.dll, mimikatz.dll) – 4edd26323a12e06568ed69e49a8595a5, a03b57cc0103316e974bbb0f159f78f6
- [URL] C2 server for XMRig mining – hxxp://46.148.235[.]114/cmd.php
- [Domain] Mining pool – pool.supportxmr[.]com:3333
- [Domain] Mining pool user/password reference – pool domain-specific credentials listed in article
- [IP] Cryptocurrency mining & C2 activity host – 46.148.235.114
Read more: https://asec.ahnlab.com/en/48940/