Related Articles
Mora_001’s Franken-malware based on LockBit 3.0
Researchers at Forescout are tracking a new ransomware coterie using payloads linked to the LockBit group.
The new gang, known as Mora_001, has been active since January, and has allegedly exploited two Fortinet vulnerabilities to secure a foothold in victim’s estates and deploy its own ransomware, ‘SuperBlack’.
SuperBlack, the researchers say, is based on LockBit Black (aka LockBit 3.0), which was leaked in September 2022. Other threat actors used that leak to build their own versions of the world’s dominant ransomware, so this isn’t necessarily a smoking gun inextricably tying Mora_001 to LockBit.
SuperBlack uses the same underlying code as LockBit Black, though with a custom data exfiltration module and tweaks to the ransom note. The LockBit branding is also missing.
However, there are some other clues pointing to a connection between the groups.
Forescout’s senior manager of threat hunting, Sai Molige, said Mora_001 and LockBit showed similar post-exploitation patterns, and the ransom note retains a qTox (an encrypted messenger often used by ransomware groups) ID known to be used by LockBit.
Molige said this connected “could indicate that Mora_001 is either a current affiliate with unique operational methods or an associate group sharing communication channels.”
That qTox ID led the Forescout team to other malware samples on Virus Total, which also showed evidence of features taken from different operators. For example, a data wiper associated with BlackMatter and BrainCypher.
What were the Fortinet vulnerabilities?
Mora_001 exploited CVE-2024-55591 and CVE-2025-24472 to break into and establish its presence in victims’ environments. Both are authentication bypass flaws Fortinet disclosed in January.
At the time the first of these flaws (55591) was made public, researchers said “mass exploitation of a zero-day vulnerability” was “highly likely.”
For its part, Fortinet said early reports showed the vulnerability was already being exploited “in the wild.”
The attackers were able to use these vulnerabilities to gain a foothold and escalate their privileges to super-admin, creating additional admin accounts to secure persistent access – and then it was the standard steal, encrypt and ransom.
LockBit’s no good, very bad year
Last year started badly and got worse for LockBit, which had been a major player in the global ransomware scene for years – attacking targets like Royal Mail and the Ministry of Defence.
In February 2024, law enforcement agencies took down the gang’s dark web site and released details of its various affiliates. A few months later, LockBit’s leader was named and shamed as Russian national Dmitry Khoroshev – shortly before the FBI obtained a wealth of decryption keys to help victims reclaim their data.
LockBit returned in the middle of the year, but it was only a short time before law enforcement took the lead again, arresting several individuals linked to the gang.
For now, LockBit is lying low.
Want to know more? Computing ‘s Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.
Source link
