BlackCat ransomware uses new 'Munchkin' Linux VM in stealthy attacks

The BlackCat/ALPHV ransomware operation has begun to use a new tool named 'Munchkin' that utilizes virtual machines to deploy encryptors on network devices stealthily. Manchkin enables BlackCat to run on remote systems or encrypt remote Server Message Block or Common Internet File network shares. The introduction of Munchkin to BlackCat's already extensive and advanced arsenal makes the RaaS more attractive to cybercriminals seeking to become ransomware affiliates. Palo Alto Networks Unit 42 has discovered that BlackCat's new Munchkin tool is a customized Alpine OS Linux distribution that comes as an ISO file. After compromising a device, the threat actors install VirtualBox and create a new virtual machine using the Munchkin ISO. This Munchkin virtual machine includes a suite of scripts and utilities that allow the threat actors to dump passwords, spread laterally on the network, build a BlackCat 'Sphynx' encryptor payload, and execute programs on network computers. The 'controller' uses the bundled configuration file, which provides access tokens, victim credentials, and authentication secrets, as well as configuration directives, folder and file blocklists, tasks to run, and hosts to target for encryption. This configuration is used to generate custom BlackCat encryptor executables in the /payloads/ directory, which are then pushed to remote devices to encrypt files or encrypt SMB and CIFS network shares. Unit 42 discovered a message in the malware's code from BlackCat's authors to their partners, warning against leaving the ISO on target systems due to the lack of encryption for the configuration, especially highlighting the risk of chat access token leakage. A common problem affecting ransomware victims and cybercriminals is that samples commonly get leaked through malware analysis sites. Analyzing the ransomware samples allows researchers to gain full access to the negotiation chat between a ransomware gang and its victim. It's impossible to gain access to a victim's negotiation chat, even if they have access to the sample used in the attack. Due to this, the threat actors warn affiliates that they must delete the Munchkin virtual machines and ISOs to prevent these access tokens from leaking. Munchkin makes it easier for BlackCat ransomware affiliates to perform various tasks, including bypassing security solutions protecting the victim's device. Finally, the modularity of Munchkin, featuring a variety of Python scripts, unique configurations, and the ability to swap payloads as needed, makes the tool easy to adjust to specific targets or campaigns. BlackCat emerged in late 2021 as a sophisticated Rust-based ransomware operation as the successor to BlackMatter and Darkside. ALPHV ransomware gang claims attack on Florida circuit court. MGM Resorts ransomware attack led to $100 million loss, data theft. Motel One discloses data breach following ransomware attack. ShadowSyndicate hackers linked to multiple ransomware ops, 85 servers. BlackCat ransomware hits Azure Storage with Sphynx encryptor.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000


Cyber News related to BlackCat ransomware uses new 'Munchkin' Linux VM in stealthy attacks