Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution.
“The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments,” the company’s threat intelligence team said in a series of posts on X (formerly Twitter).
“This BlackCat version also has the RemCom hacktool embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment.”
“The BlackCat ransomware sample contains more than just ransomware functionality but can function as a ‘toolkit,'” IBM Security X-Force noted in late May 2023. “An additional string suggests that tooling is based on tools from Impacket.”
The cybercrime group, having most recently released a data leak API to boost the visibility of its attacks. According to Rapid7’s Mid-Year Threat Review for 2023, BlackCat has been attributed to 212 out of a total of 1,500 ransomware attacks.
It’s not just BlackCat, for the Cuba (aka COLDRAW) ransomware threat group has also been observed utilizing a comprehensive attack toolset encompassing BUGHATCH, a custom downloader; BURNTCIGAR, an antimalware killer; Wedgecut, a host enumeration utility; Metasploit; and Cobalt Strike frameworks
BURNTCIGAR, in particular, features under-the-hood modifications to incorporate a hashed hard-coded list of targeted processes to terminate, likely in an attempt to impede analysis.
One of the attacks mounted by the group in early June 2023 is said to have weaponized CVE-2020-1472 (Zerologon) and CVE-2023-27532, a high-severity flaw in Veeam Backup & Replication software that has been previously exploited by the FIN7 gang, to steal credentials from configuration files.
Canadian cybersecurity company BlackBerry said it marks the group’s “first observed use of an exploit for the Veeam vulnerability CVE-2023-27532.” Initial access is achieved by means of compromised admin credentials via RDP.
The repeated abuse of legitimate RMM software by threat actors has led the U.S. government to release a Cyber Defense Plan to mitigate threats to the RMM ecosystem.
“Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) cautioned.
Leave a Reply