The OldGremlin Ransomware Gang Seeks Victim with the TinyFluff Backdoor
Advanced Persistent Threat (APT) actors do not always show remarkable activities. Some of them prefer to go after a few, highly-targeted attacks that could yield immense returns if executed successfully. This is the exact strategy that the hackers known as OldGremlin rely on. They have been previously involved in several ransomware attacks, typically carried out against businesses and enterprises based in Russia. However, the frequency of their attacks is very low – only five were carried out in 2021. Furthermore, the group has been silent for nearly a year – until now.
Recently, malware experts came across a new backdoor Trojan that has been dubbed the TinyFluff Backdoor. It appears to share similarities with previous backdoors used by the OldGremlin hackers. Furthermore, it also reuses some of the network infrastructures that the OldGremlin hackers had relied on previously.
The targets of the TinyFluff Backdoor are once again Russian financial institutions. The criminals are taking advantage of the current events, and sending out phishing emails that claim to contain information about the current financial sanctions against Russian companies and citizens. Recipients are urged to download and review an email attachment, which is hosted on a public hosting service like Dropbox. However, the download conceals a malicious code that is meant to deploy the TinyFluff Backdoor.
Once active, the backdoor gives full access to the infected device. It collects data about the system, hardware and software. Criminals can send out remote commands, introduce additional plugins and more. Surprisingly, the TinyFluff Backdoor has not been used in combination with OldGremlin's signature ransomware payloads yet – however, this is probably just a matter of time.