New BlackCat Hacker Tool Spreads Ransomware to Remote Machines

The BlackCat ransomware operators have demonstrated ongoing adaptation and innovation in their malicious activities, making mitigating their threats challenging for security experts.

BlackCat operators, like Munchkin, revealed updates for propagating their payload across victim networks. They’ve been consistently evolving their ransomware tooling over the past two years.

Cybersecurity researchers at Unit 42 of Palo Alto Networks, BlackCat operators recently revealed updates, like Munchkin, for propagating their payload across victim networks. They have been consistently evolving their ransomware tooling over the past two years.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

BlackCat Hacker Tool

Unit 42 researchers obtained a unique instance of Munchkin loaded in a customized Alpine VM, highlighting a growing trend among ransomware threat actors to use VMs for evading security solutions in malware deployment.

BlackCat’s evolution over time involved obfuscating configurations and employing command-line parameters for added security. 

Their latest tool, ‘Munchkin,’ uses a Linux-based OS to run BlackCat on remote machines and encrypt SMB/CIFS shares.

Munchkin tool process
Munchkin tool process (Source – Unit42)

Munchkin arrives as an Alpine OS-loaded ISO file, utilized through VirtualBox for its compact nature. The malware modifies the VM’s root password, initiates a new terminal session with tmux, runs the ‘controller’ binary, and then shuts down the VM.

Along with the following related files, the controller malware resides in the /app directory:-

  • /app/controller
  • /app/config
  • /app/payload
  • /scripts/smb_common.py
  • /scripts/smb_copy_and_exec.py
  • /scripts/smb_exec.py

Here below we have mentioned all the Python scripts that are present within the /usr/bin directory:-

  • DumpNTLMInfo.py
  • Get-GPPPassword.py
  • GetADUsers.py
  • GetNPUsers.py
  • GetUserSPNs.py
  • addcomputer.py
  • atexec.py
  • changepasswd.py
  • dcomexec.py
  • dpapi.py
  • esentutl.py
  • exchanger.py
  • findDelegation.py
  • flask
  • futurize
  • getArch.py
  • getPac.py
  • getST.py
  • getTGT.py
  • goldenPac.py
  • karmaSMB.py
  • keylistattack.py
  • kintercept.py
  • ldapdomaindump
  • ldd2bloodhound
  • ldd2pretty
  • lookupsid.py
  • machine_role.py
  • mimikatz.py
  • mqtt_check.py
  • mssqlclient.py
  • mssqlinstance.py
  • net.py
  • netview.py
  • nmapAnswerMachine.py
  • normalizer
  • ntfs-read.py
  • ntlmrelayx.py
  • pasteurize
  • ping.py
  • ping6.py
  • pip
  • pip3
  • pip3.11
  • psexec.py
  • raiseChild.py
  • rbcd.py
  • rdp_check.py
  • reg.py
  • registry-read.py
  • rpcdump.py
  • rpcmap.py
  • sambaPipe.py
  • samrdump.py
  • secretsdump.py
  • services.py
  • smbclient.py
  • smbexec.py
  • smbpasswd.py
  • smbrelayx.py
  • smbserver.py
  • sniff.py
  • sniffer.py
  • split.py
  • ticketConverter.py
  • ticketer.py
  • tstool.py
  • wmiexec.py
  • wmipersist.py
  • wmiquery.py

The controller malware, similar to BlackCat, decrypts strings and checks for configuration and payload files in the/app directory. It creates and mounts the /payloads/ directory for custom BlackCat instances based on the template in /app/payload.

Creation of a new BlackCat sample based on template and configuration
Creation of a new BlackCat sample based on template and configuration (Source – Unit42)

After execution, the VM powers off. A message within the malware was included but not used, possibly urging affiliates to remove it from compromised environments.

BlackCat ransomware developers, like many other malware creators, are continually refining their strategies. The Munchkin is their new tool, which is part of a rising trend that employs virtual machines (VMs) to bypass security restrictions and remain ahead of the security community.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.