In early 2024, the Morlock group, known for using ransomware programs, has been active in cyberspace. Over a short period of time, at least 9 large and medium-sized Russian companies have fallen victim to their attacks. The tactics employed by the group have been detailed in a new report by F.A.C.T.
The Morlock attackers utilize LockBit 3.0 and Babuk extortion programs, similar to other cybergroups. However, Morlock sets itself apart through unique tactics, techniques, and procedures (TTPs). The group operates discreetly, avoiding any activity on cyber forums or social media, and communicates through encrypted channels for added security.
One notable aspect of Morlock’s operations is their lack of data reconnaissance prior to encryption, enabling faster attacks and reducing the chances of detection. Following a successful attack, victimized companies are met with ransom demands that can amount to hundreds of millions of rubles.
For their initial attack vector, Morlock often exploits vulnerabilities in commonly used applications like Zimbra, or acquires compromised accounting data from underground marketplaces. To proliferate malware within networks, they utilize tools such as Sliver for post-exploitation and SoftPerfect Network Scanner for reconnaissance. Additionally, some malicious software is loaded onto hosts directly from legitimate websites using the victim’s web browser.
Furthermore, Morlock’s unique approach includes compromising “popular Russian corporate antivirus” solutions if present on the network, allowing attackers to disable defenses and leverage this access to propagate malware further. The group constantly evolves its tools and methods, and a list of compromise indicators can be found for reference on GitHub.