Microsoft has confirmed that hackers are using PaperCut servers to distribute Cl0p and LockBit ransomware families. The company’s threat intelligence team has linked a portion of these attacks to Lace Tempest, a financially motivated actor previously known as DEV-0950. This group is associated with other hacking groups, such as FIN11, TA505, and Evil Corp.
Lace Tempest used several PowerShell commands to run a TrueBot DLL that connected to a C2 server. They then attempted to steal LSASS credentials and injected the TrueBot payload into the conhost.exe service. The hackers then deployed a Cobalt Strike Beacon implant to perform reconnaissance, move laterally using WMI, and exfiltrate files of interest via MegaSync. In a sequence of tweets, Microsoft stated.
Lace Tempest is a Cl0p ransomware affiliate that has previously used Fortra GoAnywhere MFT exploits and gained initial access through Raspberry Robin infections. Raspberry Robin, also called QNAP worm, is an access-as-a-service malware used as a delivery vehicle for next-stage payloads, including IcedID, Cl0p, and LockBit. The malware incorporates various obfuscation, anti-debugging, and anti-virtual machine measures to avoid detection.
Story credit
Related stories:
