According to Microsoft’s Threat Intelligence Team, a new version of the BlackCat ransomware, also tracked as ALPHV, has been seen dropping the Impacket networking framework and the Remcom hacking tool during the infection process.
Both the framework and the hacking tool can be used by threat actors to better spread laterally across a compromised network.
In a series of tweets, the Threat Intelligence Team noted,
Microsoft has observed a new version of the BlackCat ransomware being used in recent campaigns. This version includes the open-source communication framework tool Impacket, which threat actors use to facilitate lateral movement in target environments…BlackCat is available as part of a ransomware as a service offering. It was initially observed in 2021 and has been updated multiple times to add various features and improvements. We started observing the new version in operations by a BlackCat affiliate in July 2023.
On the inclusion of Impacket and Remcom, the team stated,
The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments...This BlackCat version also has the Remcom hacktool embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment.
It would seem that the newest version of the ransomware began making the rounds in April of this year. VX-Underground discovered that the developers behind the ransomware were working on upgrading the code to serve the ransomware-as-a-service customers better. By April, these improvements had gone live. The new version is referred to as ALPHV/BlackCat 2.0: Sphynx by developers.
ALPHV/BlackCat 2.0: Sphynx
Shortly after VX-Underground announced their discovery, security researchers at IBM analyzed the new variant. On May 30, IBM X-Force published their findings.
As with earlier variants of BlackCat, the ransomware affiliates primarily target organizations in the healthcare, government, education, manufacturing, and hospitality sectors. Further, several victims have had sensitive data leaked, as is the norm with gangs using double-extortion tactics.
As BlackCat follows the ransomware-as-a-service model, affiliates have also further developed techniques and tactics to include automating the data exfiltration portion of the operation with custom malware strains capable of deleting themselves upon completion of the operation, making security analysis a far more challenging prospect.
First detected in November 2021, the malware’s developers quickly switched to using the Rust programming language in 2022. This was likely done due to the customization opportunities afforded by the language and as a means to hamper efforts to detect and analyze the malware. The constant evolution of ransomware in its now year-and-a-half life cycle has been an ongoing trend.
IBM researchers stated,
During the last six months, X-Force observed multiple intrusions by BlackCat affiliates that demonstrated continuous enhancement of their tooling and tradecraft. BlackCat affiliates continue to abuse the functionality of Group Policy Objects, both to deploy tools and to interfere with security measures. Attackers displaying a nuanced understanding of Active Directory can abuse GPOs to great effect for swift mass malware deployment. For example, threat actors may attempt to increase the speed of their operations by changing default Group Policy refresh times, likely to shorten the window of time between changes taking effect and defenders being able to respond.
Sphynx, the latest variant, continues this trend of constant evolution and differs from previous iterations in several notable ways, more than just the inclusion of the above-mentioned hacking tools.
For instance, previous variants utilized the “–access-token parameter” to execute important tasks. Sphynx removes that parameter and adds a set of more complex arguments. This makes it harder to detect since defenders do not have standard commands to hunt. This is a move in line with the ransomware’s evolution to make it harder to detect and analyze generally.
IBM’s research goes into great detail on the changes to the encryptor and malware in general; these technical aspects are beyond the scope of this article but are recommended reading for those interested.
What is essential for this article is that researchers, when analyzing the ransomware’s toolset, discovered an additional string that suggests that tooling is based on tools from Impacket. The presence of which has now been confirmed by Microsoft along with RemCom.
Further, researchers dug deeper into how BlackCat affiliates evade defenses and spread laterally if Impacket and Remcom are not being used. Researchers noted that attackers will modify the default domain Group Policy Object (GPO) to carry out the following two objectives:
- Disable security controls/antivirus: Attackers changed security policy settings to turn off system monitoring, protection, and notifications and disabled Microsoft Defender.
- Deploy and execute ExMatter (custom exfiltration tool) and BlackCat: Attackers edited default domain GPO settings to spread and execute the attacker’s data exfiltration and ransomware tools. The malware executables were placed in the Domain Controller SYSVOL directory, causing the files to be spread to every other Domain Controller and correspondingly to all joined computers. The same GPO also created two scheduled tasks for the persistent execution of the associated malware payload.
BlackCat is widely believed to be a rebrand of the BlackMatter strain used in the Colonial Pipeline incident. It is clear that the group is highly skilled and poses a threat to any organization targeted.
To defend against possible BlackCat attacks, IBM advises only two to three accounts should be permitted to handle GPO administration from dedicated and secure administrative hosts. This drastically reduces the attack surface an affiliate can exploit.