Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution.
“The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments,” the company’s threat intelligence team said in a series of posts on X (formerly Twitter).
“This BlackCat version also has the RemCom hacktool embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment.”
RemCom, billed as an open-source alternative to PsExec, has been put to use by Chinese and Iranian nation-state threat actors like Dalbit and Chafer (aka Remix Kitten) to move across the victim environments in the past.
Redmond said it started observing the new variant in attacks conducted by a BlackCat affiliate in July 2023.
The development comes over two months after IBM Security X-Force disclosed details of the updated version of BlackCat, called Sphynx, that first emerged in February 2023 with improved encryption speed and stealth, pointing to continued efforts made by threat actors to refine and retool the ransomware.
“The BlackCat ransomware sample contains more than just ransomware functionality but can function as a ‘toolkit,'” IBM Security X-Force noted in late May 2023. “An additional string suggests that tooling is based on tools from Impacket.”
The cybercrime group, which launched its operation in November 2021, is marked by constant evolution, having most recently released a data leak API to boost the visibility of its attacks. According to Rapid7’s Mid-Year Threat Review for 2023, BlackCat has been attributed to 212 out of a total of 1,500 ransomware attacks.
It’s not just BlackCat, for the Cuba (aka COLDRAW) ransomware threat group has also been observed utilizing a comprehensive attack toolset encompassing BUGHATCH, a custom downloader; BURNTCIGAR, an antimalware killer; Wedgecut, a host enumeration utility; Metasploit; and Cobalt Strike frameworks.
BURNTCIGAR, in particular, features under-the-hood modifications to incorporate a hashed hard-coded list of targeted processes to terminate, likely in an attempt to impede analysis.
One of the attacks mounted by the group in early June 2023 is said to have weaponized CVE-2020-1472 (Zerologon) and CVE-2023-27532, a high-severity flaw in Veeam Backup & Replication software that has been previously exploited by the FIN7 gang, to steal credentials from configuration files.
Canadian cybersecurity company BlackBerry said it marks the group’s “first observed use of an exploit for the Veeam vulnerability CVE-2023-27532.” Initial access is achieved by means of compromised admin credentials via RDP.
“The Cuba ransomware operators continue to recycle network infrastructure and use a core set of TTPs that they have been subtly modifying from campaign to campaign, often adopting readily available components to upgrade their toolset whenever the opportunity arises,” it added.
Ransomware remains a major money-spinner for financially motivated threat actors, growing both in sophistication and quantity in the first half of 2023 than all of 2022 despite intensified law enforcement efforts to take them down.
Some groups have also begun moving away from encryption to pure exfiltration and ransom or, alternatively, resorting to triple extortion, in which the attacks go beyond data encryption and theft to blackmail a victim’s employees or customers and carry out DDoS attacks to put more pressure.
“The increasing popularity of Encryptionless Extortion attacks, which skips over the process of encryption, employs the same tactic of threatening to leak victims’ data online if they don’t pay,” Zscaler said in its 2023 Ransomware Report. “This tactic results in faster and larger profits for ransomware gangs by eliminating software development cycles and decryption support.”
“These attacks are also harder to detect and receive less attention from the authorities because they do not lock key files and systems or cause the downtime associated with recovery. Therefore, Encryptionless Extortion attacks tend to not disrupt their victims’ business operations – which subsequently results in lower reporting rates.”
A second growing trend among ransomware actors is the adoption of intermittent encryption to encrypt only parts of each file to speed up the process as well as sidestep detection by security solutions that “make use of the amount of content being written to disk by a process in their heuristics to identify ransomware.”
Another notable tactic is the targeting of managed service providers (MSPs) as entry points to breach downstream corporate networks, as evidenced in a Play ransomware campaign aimed at finance, software, legal, and shipping and logistics industries, as well as state, local, tribal and territorial (SLTT) entities in the U.S., Australia, U.K., and Italy.
The attacks leverage “Remote Monitoring and Management (RMM) software used by service providers to gain direct access to a customer’s environment, bypassing the majority of its defenses,” Adlumin said, granting threat actors unfettered, privileged access to networks.
The repeated abuse of legitimate RMM software by threat actors has led the U.S. government to release a Cyber Defense Plan to mitigate threats to the RMM ecosystem.
“Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) cautioned.
(An earlier version of the story erroneously mentioned that the security flaw in the Veeam backup service was used to gain initial access. It has been updated to reflect that the issue is exploited during post-exploitation.)
