Chris Swagler | September 15th, 2023

In a recent development, Microsoft has unveiled a novel iteration of the BlackCat ransomware, also known as ALPHV and Noberus, that has incorporated sophisticated tools, namely Impacket and RemCom, to streamline lateral movement within compromised networks and facilitate remote code execution.

According to their threat intelligence team, the BlackCat ransomware, infamous for its intricate techniques, now leverages the Impacket tool, which encompasses modules for credential dumping and remote service execution. This strategic integration enhances the BlackCat ransomware’s potential for widespread deployment within targeted environments. The RemCom hacktool has also been embedded within the ransomware’s executable, enabling remote code execution. This variant includes pre-loaded compromised target credentials to expedite lateral movement and the subsequent deployment of ransomware.

RemCom isn’t a new tactic; it has been employed by threat actors from China and Iran, such as Dalbit and Chafer, to navigate victim environments effectively. This marks another instance of ransomware operators advancing their tactics, with the integration of these tools indicating their continuous efforts to refine and enhance their ransomware arsenal.

Microsoft’s scrutiny of this new BlackCat variant originated from its observation of attacks orchestrated by a BlackCat affiliate in July 2023. This revelation follows one security team’s disclosure of an updated version of BlackCat, named Sphynx, earlier this year. Sphynx featured improved encryption speed and stealth capabilities, underscoring the relentless endeavors by threat actors to refine and adapt their ransomware operations.

The uniqueness of the BlackCat ransomware stems from its multifunctional nature. Beyond its ransomware functionality, it has the characteristics of a “toolkit,” according to the security team. Interestingly, elements of this toolkit are derived from the Impacket tools, solidifying its significance in the ransomware’s operations.

The BlackCat ransomware group, active since November 2021, exhibits a propensity for constant evolution. The group has displayed its adaptability by releasing a data leak API to amplify the impact of its attacks. According to a mid-year threat review for 2023, BlackCat has been linked to 212 out of a total of 1,500 ransomware attacks, underscoring its prominence in the threat landscape.

However, BlackCat is not the only player in this arena. The Cuba ransomware threat group, COLDRAW, has demonstrated its capabilities by utilizing comprehensive attack tools, including BUGHATCH, BURNTCIGAR, Wedgecut, Metasploit, and Cobalt Strike frameworks. Particularly noteworthy is BURNTCIGAR, which incorporates modifications aimed at thwarting analysis and includes a list of targeted processes for termination.

In a broader context, ransomware continues to be a lucrative endeavor for financially motivated threat actors, demonstrating heightened sophistication and increased frequency in the first half of 2023 compared to the entirety of the previous year. Notably, some groups are shifting away from encryption and embracing exfiltration and ransom or even resorting to triple extortion tactics, escalating attacks beyond data theft, including blackmail and DDoS threats.

A prevailing strategy involves targeting managed service providers (MSPs) to breach downstream corporate networks, as evidenced by the Play ransomware campaign. This campaign targeted industries such as finance, software, legal, shipping, logistics, and various governmental entities. By exploiting vulnerabilities in Remote Monitoring and Management (RMM) software, threat actors gain unhindered access to networks, highlighting the urgent need for robust cybersecurity measures.

In response, the U.S. government has released a Cyber Defense Plan to address threats to the RMM ecosystem. The overarching concern revolves around the potential for cyber threat actors to exploit RMM software, thereby compromising a network’s integrity, with cascading repercussions for organizations and their customers.

As ransomware attacks continue to evolve and adapt, the landscape remains tumultuous. Security professionals and organizations must remain vigilant, adopting proactive measures to detect, prevent, and mitigate the impact of ransomware attacks. Incorporating advanced tools, such as Impacket and RemCom, underscores the urgent need for cybersecurity efforts to stay ahead of these dynamic threats. At SpearTip, we examine companies’ security posture to improve the weak points in their networks.

Our team engages with companies’ people, processes, and technology to measure the maturity of their technical environments. We provide technical roadmaps for all vulnerabilities we uncover, helping companies achieve the awareness and support to optimize their overall cybersecurity posture. By comparing technology and internal personnel, we discover blind spots in companies that could lead to significant compromises. We go beyond simple compliance frameworks and examine the organization’s day-to-day cyber function. Identifying technical vulnerabilities inside and outside the organization provides a deeper context to potential environmental gaps.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.