A Russian-speaking extortion group allegedly attacked an unnamed gambling organization in Europe and Central America. According to researchers from the Israeli firm Security Joes, the criminals used special tools developed by other APT groups, such as the Iranian MuddyWater, during the attack.
Hackers used stolen credentials to gain unauthorized access to the victim’s network, which eventually led to the installation of the Cobalt Strike payload on compromised systems.
The attack occurred in February 2022, when attackers used post-exploitation tools such as ADFind, NetScan, SoftPerfect and LaZagne. The AccountRestore executable file was also used to select administrator credentials and a fork of a reverse tunneling tool called Ligolo. A modified version of the Ligolo tool called Sockbot is a binary file in the Golang language, designed to discreetly and securely disclose internal assets from a compromised network.
Experts linked the attack to a Russian-speaking group due to the coincidence of artifacts with common sets of tools for ransomware. In addition, one of the executable files (AccountRestore) contains embedded links in Russian.