Angara Security specialists talked about a new group of hackers M0r0k T34m
Angara Security experts discovered a new group of hackers – M0r0k T34m (Morok Team) (Sunset Wolf). It has been active since November 2023. Hackers from M0r0k T34m attack various organizations with an encryption program, and then demand a ransom for data decryption, the press service of the IS company told the Habra information service.
The ransomware-encryptor in the hackgroup is called M0r0k, it is written in Python and uses the recursive Fernet file encryption algorithm. As an anchor in the compromised network and communication with the management server, the encryptor uses the ngrok utility, which opens port 3389 (RDP). This allows attackers to access the internal resources of the machine.
According to Angara SOC’s Head of Response and Digital Forensics Nikita Leokumovych, the ngrok utility is very popular, for example, it is used by the hacker group Shadow Wolf (also known as Shadow or C0met). After penetration, attackers create accounts that are added to privileged groups. The names of such credentials must be similar to legitimate, preferably “first-name” names of active employees.
A full reconstruction of a typical incident using M0r0k is under development. However, experts note that obtaining initial access to the network is realized through the exploitation of vulnerabilities of publicly available programs.