Saturday, February 15, 2025
HomeCyber AttackBlackCat Ransomware Leveraging Remote Monitoring Tools to Encrypt Azure Storage

BlackCat Ransomware Leveraging Remote Monitoring Tools to Encrypt Azure Storage

Published on

SIEM as a Service

Follow Us on Google News

BlackCat Ransomware variant Sphynx has been newly identified with additional features used for encrypting Azure Storage accounts. This Sphynx variant of BlackCat was first discovered in March and was upgraded in May, which added the Exmatter exfiltration tool. 

Another version of Sphynx was released in August, which included new command-line arguments that can override the credentials inside the config files obtained from compromised systems.

Microsoft published a post in August that mentioned the inclusion of Impacket (for credential dumping and remote service execution) and Remcom tools. In addition, it also consisted of some compromised credentials that are used for lateral movement and further ransomware deployment.

“This BlackCat version also has the Remcom hacktool embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment.” reads the thread by Microsoft on Twitter.

Threat Actors Access Azure portal

Threat actors could steal Azure keys by accessing the customer’s Azure portal. These keys were then base64 encoded and embedded with the ransomware binary with command line executions.

An -o argument was included in the command line arguments, which targets an Azure storage account name and access key; this binary was executed multiple times with 39 unique Azure Storage accounts, resulting in encrypting them with ransomware.

During this operation, threat actors used tools like AnyDesk, SplashTop, and Atera combined with the Chrome browser to access the LastPass vault browser extension. Moreover, threat actors also obtained OTP for accessing the Sophos Central account for managing other Sophos products.

On investigating further, it was found that threat actors proceeded to change the security policies and tamper protection before encrypting the systems and Azure Storage accounts with IzBEIHCMxAuKmis6.exe with the extension .zk09cvt. 

Ransomware note (Source: @SophosXOps/infosec.exchange)

Notable Change

Denoting the changes mentioned by IBM, this Sphynx variant of BlackCat does not include -access-token parameter but instead it now uses keys like ‘-8UwUubTNYzygbQPJF -x_ -NI3_zn6Jr -U8Z -hedu5PO -CBJC7jzy -HFVmgW -DK3rdo’ and includes a set of more complex arguments.

Sophos provides detailed information about the operation, source code, and indicators of compromise of this variant of BlackCat.

It is highly recommended that organizations implement and adhere to necessary precautions and measures to effectively prevent and combat the occurrence of ransomware attacks. Such proactive and vigilant steps can significantly reduce the risk of devastating consequences that may result from these malicious attacks.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...