Elevated attack rate expected to remain during 2023 as cybercrime becomes more sophisticated and widespread.
Related Posts
New BlackCat Hacker Tool Spreads Ransomware to Remote Machines
New BlackCat Hacker Tool Spreads Ransomware to Remote Machines
The BlackCat ransomware operators have demonstrated ongoing adaptation and innovation in their malicious activities, making mitigating their threats challenging for security experts.
BlackCat operators, like Munchkin, revealed updates for propagating their payload across victim networks. They’ve been consistently evolving their ransomware tooling over the past two years.
Cybersecurity researchers at Unit 42 of Palo Alto Networks, BlackCat operators recently revealed updates, like Munchkin, for propagating their payload across victim networks. They have been consistently evolving their ransomware tooling over the past two years.
Document
FREE Demo
Deploy Advanced AI-Powered Email Security Solution
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
BlackCat Hacker Tool
Unit 42 researchers obtained a unique instance of Munchkin loaded in a customized Alpine VM, highlighting a growing trend among ransomware threat actors to use VMs for evading security solutions in malware deployment.
BlackCat’s evolution over time involved obfuscating configurations and employing command-line parameters for added security.
Their latest tool, ‘Munchkin,’ uses a Linux-based OS to run BlackCat on remote machines and encrypt SMB/CIFS shares.
Munchkin tool process (Source – Unit42)
Munchkin arrives as an Alpine OS-loaded ISO file, utilized through VirtualBox for its compact nature. The malware modifies the VM’s root password, initiates a new terminal session with tmux, runs the ‘controller’ binary, and then shuts down the VM.
Along with the following related files, the controller malware resides in the /app directory:-
/app/controller
/app/config
/app/payload
/scripts/smb_common.py
/scripts/smb_copy_and_exec.py
/scripts/smb_exec.py
Here below we have mentioned all the Python scripts that are present within the /usr/bin directory:-
DumpNTLMInfo.py
Get-GPPPassword.py
GetADUsers.py
GetNPUsers.py
GetUserSPNs.py
addcomputer.py
atexec.py
changepasswd.py
dcomexec.py
dpapi.py
esentutl.py
exchanger.py
findDelegation.py
flask
futurize
getArch.py
getPac.py
getST.py
getTGT.py
goldenPac.py
karmaSMB.py
keylistattack.py
kintercept.py
ldapdomaindump
ldd2bloodhound
ldd2pretty
lookupsid.py
machine_role.py
mimikatz.py
mqtt_check.py
mssqlclient.py
mssqlinstance.py
net.py
netview.py
nmapAnswerMachine.py
normalizer
ntfs-read.py
ntlmrelayx.py
pasteurize
ping.py
ping6.py
pip
pip3
pip3.11
psexec.py
raiseChild.py
rbcd.py
rdp_check.py
reg.py
registry-read.py
rpcdump.py
rpcmap.py
sambaPipe.py
samrdump.py
secretsdump.py
services.py
smbclient.py
smbexec.py
smbpasswd.py
smbrelayx.py
smbserver.py
sniff.py
sniffer.py
split.py
ticketConverter.py
ticketer.py
tstool.py
wmiexec.py
wmipersist.py
wmiquery.py
The controller malware, similar to BlackCat, decrypts strings and checks for configuration and payload files in the/app directory. It creates and mounts the /payloads/ directory for custom BlackCat instances based on the template in /app/payload.
Creation of a new BlackCat sample based on template and configuration (Source – Unit42)
After execution, the VM powers off. A message within the malware was included but not used, possibly urging affiliates to remove it from compromised environments.
BlackCat ransomware developers, like many other malware creators, are continually refining their strategies. The Munchkin is their new tool, which is part of a rising trend that employs virtual machines (VMs) to bypass security restrictions and remain ahead of the security community.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.
The post New BlackCat Hacker Tool Spreads Ransomware to Remote Machines appeared first on Cyber Security News.
Cyber Security News
Over 17,000 WordPress sites hacked in Balada Injector attacks last month
Over 17,000 WordPress sites hacked in Balada Injector attacks last month
Multiple Balada Injector campaigns have compromised and infected over 17,000 WordPress sites using known flaws in premium theme plugins. […] Read More
BleepingComputer
Microsoft releases first Windows Server 2025 preview build
Microsoft releases first Windows Server 2025 preview build
Microsoft has released Windows Server Insider Preview 26040, the first Windows Server 2025 build for admins enrolled in its Windows Insider program. […] Read More
BleepingComputer