November 22, 2024
BlackCat Ransomware Attackers Spotted Fine-Tuning Their Malware Arsenal
The BlackCat ransomware crew has been spotted fine-tuning their malware arsenal to fly under the radar and expand their reach. "Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software," researchers from Symantec 

The BlackCat ransomware crew has been spotted fine-tuning their malware arsenal to fly under the radar and expand their reach.

“Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software,” researchers from Symantec said in a new report.

BlackCat, also known by the names ALPHV and Noberus, is attributed to an adversary tracked as Coreid (aka FIN7, Carbanak, or Carbon Spider) and is said to be a rebranded successor of DarkSide and BlackMatter, both of which shut shop last year following a string of high-profile attacks, including that of Colonial Pipeline.

The threat actor, like other notorious ransomware groups, is known to run a ransomware-as-a-service (RaaS) operation, which involves its core developers enlisting the help of affiliates to carry out the attacks in exchange for a cut of the illicit proceeds.

ALPHV is also one of the first ransomware strains to be programmed in Rust, a trend that has since been adopted by other families such as Hive and Luna in recent months to develop and distribute cross-platform malware.

The evolution of the group’s tactics, tools, and procedures (TTPs) comes more than three months after the cybercrime gang was discovered exploiting unpatched Microsoft Exchange servers as a conduit to deploy ransomware.

Subsequent updates to its toolset have incorporated new encryption functionalities that enable the malware to reboot compromised Windows machines in safe mode to bypass security protections.

“In a July 2022 update the team added indexing of stolen data — meaning its data leaks websites can be searched by keyword, file type, and more,” the researchers said.

The latest refinements concern Exmatter, a data exfiltration tool used by BlackCat in its ransomware attacks. Besides harvesting files only with a specific set of extensions, the revamped version generates a report of all processed files and even corrupts the files.

Also deployed in the attack is an info-stealing malware called Eamfo that’s designed to siphon credentials stored in the Veeam backup software and facilitate privilege escalation and lateral movement.

The findings are yet another indication that ransomware groups are adept at continually adapting and refining their operations to remain effective as long as possible.

“Its continuous development also underlines the focus of the group on data theft and extortion, and the importance of this element of attacks to ransomware actors now,” the researchers said.

BlackCat has also been recently observed using the Emotet malware as an initial infection vector, not to mention witnessing an influx of new members from the now-defunct Conti ransomware group following the latter’s withdrawal from the threat landscape this year.

The sunsetting of Conti has also been accompanied by the emergence of a new ransomware family dubbed Monti, a “doppelganger” group which has been found purposefully and brazenly impersonating the Conti team’s TTPs and its tools.

News of BlackCat adding a revamped slate of tools to its attacks arrives as a developer associated with the LockBit 3.0 (aka LockBit Black) file-encrypting malware allegedly leaked the builder used to create bespoke versions, prompting concerns that it could lead to more widespread abuse by other less skilled actors.

It’s not just LockBit. Over the past two years, Babuk and Conti ransomware groups have suffered similar breaches, effectively lowering the barrier for entry and enabling malicious actors to quickly launch their own attacks.