Impacket tool has CD and RCE modules capable of wide distribution of BlackCat Ransomware

A report on Impacket tool having Credential dumping (CD) and Remote Code Execution (RCE) modules, that is capable of wide distribution of BlackCat malware to target environments has been reported by Microsoft Threat intelligence.  

blackcat-malware.png
New BlackCat version is said to also have the Remcom hacktool embedded in an .exe file extension capable of lateral movement and remote code execution. Image-source: pexel.com

On August 18th 2023, Microsoft threat intelligence issued a post on “x formerly known as twitter.” About the discovery:

“The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments.”

The new BlackCat version is said to also have the Remcom hacktool embedded in an .exe file extension capable of lateral movement and remote code execution.

Remcom Hacktool:

Is a small 10kb size Upx packed executable file, which is capable of running shell/telnet processes on windows-based systems; giving an attacker leverage to copy files remotely, process their output, and stream it back.

Late in the month of may (30th May 2023) this year, IBM Security Intelligence in a blog-content, reported in-depth research on the BlackCat encryptor; which was discovered to have morphed into a toolkit that contains Impacket.  

Impacket:

A collection of python libraries that are used in applications such as vulnerability scanners, enabling them to work with windows network protocols.

The BlackCat (a.k.a ALPHV) ransomware attack has lately been recorded to be on the rise, with its recent attack targeting essential industries such as the Healthcare, Government, Education, Manufacturing, and Hospitality sectors.

According to a statement to SC-Media by the principal Red Team Ops at Coalfire by the name Jesse Ratcliffe:

“Just in August, ALPHV attacked at least four companies, leaking sensitive data about employees and corporate assets from each one.”

The BlackCat ransomware group is said to have shift their hacking-skills and tradecraft in ensuring a more fast and stealthier operations, given them a better chance in extending their lifespans. Information posted on their leak sites includes financial and medical records that were exfiltrated from their victim’s organization.

The group (BlackCat) affiliates continuously acuminate their mode of operation in order to escalate the likelihood of impact, which involves data encryption and data theft.  

The means by which the group tend to use in data exfiltration is said to be automated using a tool known as Exmatter, a custom malware capable of “melting.” (Deleting itself).

Exmatter:

It is a malware designed to steal a range of user’s data, files, databases, compressed files (email & zip archive files), from different directories, and uploading them to an attacker’s server (preconfigured) using the SFTP (Secure File Transfer Protocol).  

Reports and discovery made shows that the BlackCat and RaaS gang, are affiliated with the LockBit 3.0 ransomware, and they have been in constant trade of both exploits and access with each other.

The threat actors have recently modified their hacking-tools and techniques and customizing the ransomware used in their attacks.

Mr. Ratcliffe informed SC-Media in a statement:

“It’s critical to get out ahead of these attacks, creating a readiness tabletop ‘doomsday’ plan for recovery, while patching systems and monitoring for suspicious and unauthorized access within the infrastructure.”

The BlackCat upon successful access to a network, utilizes PowerShell and command prompt to get detailed information about a user account, permissions, and domain on the computer. 

PowerShell code associated with ‘PowerSploit’ which is a post-exploitation framework publicly available; is capable of both credential theft through Kerberoasting, and obtaining domain administrator credentials.

Co-founder and CEO at Keeper Security Mr. Darren Guccione in statement also with SCMEDIA

“For cybercriminals today, the readily available ransomware tools are becoming more sophisticated and not all companies are adequately defending themselves from cyberattacks despite an increasing attack surface through increased reliance on technology and distributed remote work.”

It is noted that upon completion of data exfiltration the malware Exmatter starts a process which removes traces of itself on the victim’s computer. Read more about this.

 

 

 

Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments