The BlackCat ransomware operators have demonstrated ongoing adaptation and innovation in their malicious activities, making mitigating their threats challenging for security experts.
BlackCat operators, like Munchkin, revealed updates for propagating their payload across victim networks. They’ve been consistently evolving their ransomware tooling over the past two years.
Cybersecurity researchers at Unit 42 of Palo Alto Networks, BlackCat operators recently revealed updates, like Munchkin, for propagating their payload across victim networks. They have been consistently evolving their ransomware tooling over the past two years.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Unit 42 researchers obtained a unique instance of Munchkin loaded in a customized Alpine VM, highlighting a growing trend among ransomware threat actors to use VMs for evading security solutions in malware deployment.
BlackCat’s evolution over time involved obfuscating configurations and employing command-line parameters for added security.
Their latest tool, ‘Munchkin,’ uses a Linux-based OS to run BlackCat on remote machines and encrypt SMB/CIFS shares.
Munchkin arrives as an Alpine OS-loaded ISO file, utilized through VirtualBox for its compact nature. The malware modifies the VM’s root password, initiates a new terminal session with tmux, runs the ‘controller’ binary, and then shuts down the VM.
Along with the following related files, the controller malware resides in the /app directory:-
- /app/controller
- /app/config
- /app/payload
- /scripts/smb_common.py
- /scripts/smb_copy_and_exec.py
- /scripts/smb_exec.py
Here below we have mentioned all the Python scripts that are present within the /usr/bin directory:-
- DumpNTLMInfo.py
- Get-GPPPassword.py
- GetADUsers.py
- GetNPUsers.py
- GetUserSPNs.py
- addcomputer.py
- atexec.py
- changepasswd.py
- dcomexec.py
- dpapi.py
- esentutl.py
- exchanger.py
- findDelegation.py
- flask
- futurize
- getArch.py
- getPac.py
- getST.py
- getTGT.py
- goldenPac.py
- karmaSMB.py
- keylistattack.py
- kintercept.py
- ldapdomaindump
- ldd2bloodhound
- ldd2pretty
- lookupsid.py
- machine_role.py
- mimikatz.py
- mqtt_check.py
- mssqlclient.py
- mssqlinstance.py
- net.py
- netview.py
- nmapAnswerMachine.py
- normalizer
- ntfs-read.py
- ntlmrelayx.py
- pasteurize
- ping.py
- ping6.py
- pip
- pip3
- pip3.11
- psexec.py
- raiseChild.py
- rbcd.py
- rdp_check.py
- reg.py
- registry-read.py
- rpcdump.py
- rpcmap.py
- sambaPipe.py
- samrdump.py
- secretsdump.py
- services.py
- smbclient.py
- smbexec.py
- smbpasswd.py
- smbrelayx.py
- smbserver.py
- sniff.py
- sniffer.py
- split.py
- ticketConverter.py
- ticketer.py
- tstool.py
- wmiexec.py
- wmipersist.py
- wmiquery.py
The controller malware, similar to BlackCat, decrypts strings and checks for configuration and payload files in the/app directory. It creates and mounts the /payloads/ directory for custom BlackCat instances based on the template in /app/payload.
After execution, the VM powers off. A message within the malware was included but not used, possibly urging affiliates to remove it from compromised environments.
BlackCat ransomware developers, like many other malware creators, are continually refining their strategies. The Munchkin is their new tool, which is part of a rising trend that employs virtual machines (VMs) to bypass security restrictions and remain ahead of the security community.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.