Introduction
On July 17, 2022, Albanian news outlets reported a massive cyberattack that affected Albanian government e-services. A few weeks later, it was revealed that the cyberattacks were part of a coordinated effort likely intended to cripple the country’s computer systems. On September 10, 2022, Albanian local news reported a second wave of cyberattacks targeting Albania’s TIMS, ADAM and MEMEX systems – the latter two systems critical for law enforcement – reportedly using the same attack type and by the same actors.
Around the same time, we identified ransomware and wiper malware samples resembling those used in the first wave, though with a few interesting modifications that likely allowed evasion of security controls and better attack speeds. Chief among those changes are the embedding of a raw disk driver, providing direct hard disk access inside the malware itself, modified metadata, and the use of Nvidia’s leaked code signing certificate to sign the malware.
So, what’s new in this blogpost?
We compare the first and second waves of ransomware and wiper malware used to target Albanian entities and detail connections with previously known ROADSWEEP ransomware and ZEROCLEARE variants.
The threat actors used certificates from Nvidia and Kuwait Telecommunications Company to sign their malware; the former was already leaked, but we’re not sure how they got their hands on the latter.
We identified potential cooperation between different attack groups speaking different languages, and the possib ..
Support the originator by clicking the read the rest link below.
