Summary
BlackCat (a.k.a. ALPHV and Noberus) is a Ransomware-as-a-Service (RaaS) group that emerged in November 2021, making headlines for being a sophisticated ransomware written in Rust. It has both Windows and Linux variants and the payload can be customized to adapt to the attacker’s needs. BlackCat is also believed to be the successor of the Darkside and BlackMatter ransomware groups. They work with a double-extortion scheme, where data is stolen, encrypted, and leaked if the ransom isn’t paid, which is a common methodology implemented by RaaS groups.
According to Microsoft, BlackCat was found targeting different countries and regions in Africa, the Americas, Asia, and Europe, having at least two known affiliates: DEV-0237 (previously associated with Ryuk, Conti, and Hive), and DEV-0504 (previously associated with Ryuk, REvil, BlackMatter, and Conti). However, due to the diversity of affiliates and targets, BlackCat may present different TTPs across the attacks. Recently, in September 2022, BlackCat claimed to have breached a contractor that provides services to the U.S. Department of Defense and other government agencies.
In this blog post, we will analyze BlackCat and show some of the tactics and techniques we found in a recent ransomware incident analyzed by Netskope Threat Labs. The evidence shows that this was a targeted attack, where the attackers were mainly focused on stealing sensitive data from the organization and infecting as many devices as possible.
Initial Foothold and Lateral Movements
In a recent incident analyzed by Netskope Threat Labs, the attackers breached a contractor who had access to a virtual desktop machine within the corporate network.
The attacker used a malicious browser extension to capture the contractor’s account. Since there was no MFA required, the attacker was able to login to the virtual desktop, escalate privileges, and move to other devices in the corporate network.
Payload Execution
After scanning the corporate network, BlackCat attackers created multiple text files, each one containing the names of identified machines in the network.
Then, they used PsExec and a compromised domain account to deploy ExMatter to more than 2,000 machines in the network.
The attackers used batch files to execute multiple PsExec commands to deploy payloads to the identified machines.
Below is an example of the command line executed by the attacker to remotely execute commands and payloads using PsExec and the compromised account:
start PsExec.exe -d -n 5 @C:\temp\list01.txt -accepteula -u <REDACTED_USER> -p <REDACTED_PASSWORD> cmd /c <COMMAND_LINE>
The description for the PsExec arguments used by the attacker can be found below:
Argument | Description |
---|---|
-d | Don't wait for process to terminate (non-interactive) |
-n 5 | Wait 5 seconds when connecting to remote computers |
@C:\temp\list01.txt | File containing the names of the computers in which PsExec will execute the command |
-accepteula | Automatically accept the EULA to avoid displaying the dialog |
-u | Username of the compromised account used by the attacker |
-p | Password of the compromised account used by the attacker |
cmd /c | Command-line executed by the attacker |
Among other evidence, it’s possible to confirm whether PsExec was successfully executed in a device by checking the following registry key.
Data Exfiltration
In this incident, the attackers used a .NET data exfiltration tool known as ExMatter, which was the same tool used by BlackMatter ransomware and recently adopted by BlackCat. It’s worth mentioning that the server used for data exfiltration in this incident was stood up by the attackers one day before the attack.
The specific sample from this incident was compiled close to the attack and contains a popular .NET protection named Confuser.
The attacker tried to deploy this tool to over 2,000 machines in the network using PsExec, like described earlier. ExMatter will iterate over the drives of infected machines to search for files that will be exfiltrated.