Saturday, December 21, 2024
HomeCyber AttackBlackCat Ransomware Leveraging Remote Monitoring Tools to Encrypt Azure Storage

BlackCat Ransomware Leveraging Remote Monitoring Tools to Encrypt Azure Storage

Published on

SIEM as a Service

BlackCat Ransomware variant Sphynx has been newly identified with additional features used for encrypting Azure Storage accounts. This Sphynx variant of BlackCat was first discovered in March and was upgraded in May, which added the Exmatter exfiltration tool. 

Another version of Sphynx was released in August, which included new command-line arguments that can override the credentials inside the config files obtained from compromised systems.

Microsoft published a post in August that mentioned the inclusion of Impacket (for credential dumping and remote service execution) and Remcom tools. In addition, it also consisted of some compromised credentials that are used for lateral movement and further ransomware deployment.

- Advertisement - SIEM as a Service

“This BlackCat version also has the Remcom hacktool embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment.” reads the thread by Microsoft on Twitter.

Threat Actors Access Azure portal

Threat actors could steal Azure keys by accessing the customer’s Azure portal. These keys were then base64 encoded and embedded with the ransomware binary with command line executions.

An -o argument was included in the command line arguments, which targets an Azure storage account name and access key; this binary was executed multiple times with 39 unique Azure Storage accounts, resulting in encrypting them with ransomware.

During this operation, threat actors used tools like AnyDesk, SplashTop, and Atera combined with the Chrome browser to access the LastPass vault browser extension. Moreover, threat actors also obtained OTP for accessing the Sophos Central account for managing other Sophos products.

On investigating further, it was found that threat actors proceeded to change the security policies and tamper protection before encrypting the systems and Azure Storage accounts with IzBEIHCMxAuKmis6.exe with the extension .zk09cvt. 

Ransomware note (Source: @SophosXOps/infosec.exchange)

Notable Change

Denoting the changes mentioned by IBM, this Sphynx variant of BlackCat does not include -access-token parameter but instead it now uses keys like ‘-8UwUubTNYzygbQPJF -x_ -NI3_zn6Jr -U8Z -hedu5PO -CBJC7jzy -HFVmgW -DK3rdo’ and includes a set of more complex arguments.

Sophos provides detailed information about the operation, source code, and indicators of compromise of this variant of BlackCat.

It is highly recommended that organizations implement and adhere to necessary precautions and measures to effectively prevent and combat the occurrence of ransomware attacks. Such proactive and vigilant steps can significantly reduce the risk of devastating consequences that may result from these malicious attacks.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit...

Windows 11 Privilege Escalation Vulnerability Lets Attackers Execute Code to Gain Access

Microsoft has swiftly addressed a critical security vulnerability affecting Windows 11 (version 23H2), which...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit...