Kaspersky uncovers attacks targeting Albanian government with ransomware and wipers signed with stolen certificates

Woburn, MA, Dec. 22, 2022 (GLOBE NEWSWIRE) -- Woburn, MA – December 22, 2022 – Kaspersky has shared its discovery of a malicious campaign aimed at Albanian government organizations, performed in two waves from July to September 2022. The investigation showed cybercriminals deployed ransomware and wiper malware to compromise their victims, using stolen legitimate certificates from the Nvidia and Kuwait Telecommunications company to sign their malware. The method of attack featured many characteristics of the notorious Shamoon cyberattacks previously observed in the Middle East. In a new report, Kaspersky researchers have analyzed malware modifications used in the second wave of attacks.

In July 2022, a number of massive cyberattacks on Albanian government e-services were reported by the country’s media outlets. Further investigation showed they were part of a coordinated effort likely intended to cripple Albania’s systems, some of which are critical for law enforcement. In September, Kaspersky experts identified ransomware and wiper malware samples resembling ones from the first wave. However, there were a few interesting modifications that likely facilitated the evasion of security controls and enabled better attack speeds. Chief among the changes was the embedding of a raw disk driver, allowing direct hard disk access inside the malware itself. The samples showed modified metadata and were signed with Nvidia’s leaked certificate. The changes were used to automate and speed up wiping in the second wave of attacks, and are reminiscent of previous Shamoon wiper attacks in the Middle East.

While experts weren’t able to identify the initial entry point of the threat actor in the analyzed intrusion, they saw some evidence that criminals might have taken over a legitimate remote control software, such as AnyDesk, to start their attacks. In the second wave, wiper modifications included automatic execution upon driver installation – needed due to the urgency and time-limited access window. The attackers and access provider also seemed to belong to different attack groups and spoke different languages.

Further analysis of the campaign by Kaspersky experts revealed that in both waves of attack, the same signing certificate parameters were used, linked to the Kuwait Telecommunications Company. It’s unclear how the threat actor was able to sign its malware, but it’s suspected that it was stolen. However, there are some modifications: in the second wave, there were ransomware checks for six or more arguments, while in the first one there were five or more. Also, some changes in the code were made in order to evade detection.

The ransom notes remained the same in both waves and included political messaging that reflects geopolitical tensions between Albania and Iran.

Finally, in both waves of the campaign, the wiper malware was in use, signed with a leaked Nvidia certificate but with some significant differences. In the first wave, the wiper malware expected to find the raw disk driver in the directory of execution, or in the system directory. Conversely, in the second wave the threat actor embedded the signed raw disk driver in the wiper executable, dropped it and then installed it.

“The campaign against Albanian institutions proves that these threat actors are always evolving in order to evade detection and inflict maximum damage,” said Amin Hasbini, security expert at Kaspersky. “To prevent such attacks, it’s essential to monitor for remote software activities such as AnyDesk, since they might become the initial point for the attack. Another recommendation is to always hunt for and monitor expired or leaked signing certificates, as they can be used by threat actors to load and execute malware.”

Read the full report on Securelist.

To protect yourself and your business from ransomware attacks, consider following the rules proposed by Kaspersky:

  • Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
  • Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
  • Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminals' connections.
  • Back data up regularly. Make sure you can quickly access it in an emergency.
  • Use solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response services, which help to identify and stop the attack in the early stages, before attackers achieve their final goals.
  • Use the latest Threat Intelligence  to stay aware of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for 25 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.


Ransom note in both wave 1 and wave 2 ransomware

Contact Data