10 minute read

BlackCat is Rust-based ransomware distributed via the Ransomware-as-a-Service (RaaS) model. BlackCat was observed for the first time in November 2021 and has since been used to target multiple sectors and organizations in numerous countries and regions in Africa, the Americas, Asia, Australia, and Europe.

blackcat

This ransomware and group caught our attention after this interesting news: “ALPHV ransomware group claims to have ransomed Maruchan, the company that creates instant noodles.”:

cat

The name “BlackCat” was mentioned first by MalwareHunterTeam

https://twitter.com/vxunderground/status/1679128724489289728

Technical summary

This ransomware encrypts the data of business users and corporate networks using the algorithms AES-128 (CTR mode) and RSA-2048, and then demands a hefty ransom payment in BTC or Monero to decrypt the files. Instead of AES, the ChaCha20 algorithm can be used. The configuration file is consulted to retrieve the global public key used to encrypt local credentials. Original title: ALPHV-ng RaaS. A striking example of using the Rust programming language. eSXI is capable of encrypting data on Windows, Linux, and VMWare systems.

Threat Actor

Most of threat hunting labs, also MSSP Lab has observed one of these RaaS providers, ALPHV (also known as BlackCat ransomware), gathering traction since late 2021, actively recruiting new affiliates and targeting organizations in a variety of industries across the globe. The organization actively recruits former REvil, BlackMatter, and DarkSide operators. A campaign to attract new affiliates started to be advertised on underground forums:

cat

cat

cat

Identification

Samples is being investigated:

sample.exe:

File size: 2281472 bytes
MD5 sum: aea5d3cced6725f37e2c3797735e6467
SHA-1 sum: 087497940a41d96e4e907b6dc92f75f4a38d861a
SHA-256 sum: 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83

First of all, check our sample via VirusTotal:

https://www.virustotal.com/gui/file/3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83/details

vt

As we can see, 60 of 71 AV engines detect our sample as malicious.

and the most interesting sample written in Rust:

sample2.exe:

File size: 2281472 bytes
MD5 sum: 701b4b004eecb69046c210237846d46d
SHA-1 sum: 8c70191b12f14eed594388c8fbe05efe6ebaa564
SHA-256 sum: 6dd995d896a9a593b2c48d09da60bd83866d8577273f36d38788d83ad8173e68

which also checked via VirusTotal:

https://www.virustotal.com/gui/file/6dd995d896a9a593b2c48d09da60bd83866d8577273f36d38788d83ad8173e68

vt

As we can see, 55 of 70 AV engines detect our sample as malicious.

More of the detect it as Win.Ransomware.BlackCat-9974801-0

Static analysis

sample.exe

The specified sample is a 32-bit PE file:

file <sample.exe>

vt

hexdump -C <sample.exe>

file

Use exiftool for looking metadata:

exiftool <sample.exe>

file

File timestamp is 2021:11:18 05:04:28-05:00

Compiled via MinGW:

file

Shannon entropy:

file


sample2.exe

The specified sample is a 32-bit PE file:

file <sample2.exe>

vt

hexdump -C <sample2.exe>

file

Use exiftool for looking metadata:

exiftool <sample2.exe>

file

Linker information GNU binutils:

file

Entropy:

file

file

file

Dynamic analysis

Can be distributed via hacking via an insecure RDP configuration, email spam and malicious attachments, inaccurate downloads, botnets, exploits, malicious advertisements, web injections, fake updates, repackaged and infected installers.

Ransom Note:

» Introduction
Important files on your system was ENCRYPTED and now they have have "sykffle" extension.
In order to recover your files you need to follow instructions below.
» Sensitive Data
Sensitive data on your system was downloaded and it will be published if you refuse to cooperate.
Data includes:
- Employees personal data, CVs, DL , SSN.
- Complete network map including credentials for local and remote services.
- Financial information including clients data, bills, budgets, annual reports, bank statements.
- Complete datagrams/schemas/drawings for manufacturing in solidworks format
- And more...
Private preview is published here: hxxx://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/***
» CAUTION
DO NOT MODIFY FILES YOURSELF.
DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.
YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.
YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY.
» Recovery procedure
Follow these simple steps to get in touch and recover your data:
1) Download and install Tor Browser from: https://torprojoject.org
2) Navigate to: hxxx://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=***

Second sample is written in Rust:

file

file

Initialisation and propagation - BlackCat samples that we analyzed could be launched with any string provided as the access token:

.\sample.exe -v --access-token 1234567

file

The malware will immediately attempt to validate the existence of the aforementioned access-token, followed by a query for the system UUID:

cmd.exe /c wmic csproduct get UUID

Also, it employs the GetCommandLineW API to determine whether the supplied access token is valid:

file

BlackCat spawns a number of its own processes, with the following syntax (for Windows):

wmic.exe Shadowcopy Delete"
"iisreset.exe /stop"
bcdedit.exe /set {default} recoveryenabled No

or

cmd /c vssadmin.exe delete shadows /all /quiet

As you can see, in order to prevent the organization from restoring encrypted files, the ransomware first deletes any available shadow copies, as is characteristic of ransomware attacks.

BlackCat also attempts to propagate via PsExec:

file

Privilege Escalation - Using CoGetObject, the ransomware registers itself with the CLSID 3E5FC7F9-9A51-4367-9063-A120244FBEC7, which is legitimately used to execute applications with elevated privileges. This technique enables the malware to circumvent the UAC prompt and execute its malicious actions without being detected or blocked by the system’s security measures.

file

Anti-disassembly - Sleep function make stepping through code in a debugger more time-consuming and thus complicate the process of reverse engineering:

file

Terminating all active services and processes - BlackCat will now attempt to terminate any processes or services specified in the configuration, such as processes that may inhibit the encryption procedure.

Kill services:

backup memtas mepocs msexchange sql svc$ veeam vss

and processes:

"kill_processes": [
  "encsvc",
  "thebat",
  "mydesktopqos",
  "xfssvccon",
  "firefox",
  "infopath",
  "winword",
  "steam",
  "synctime",
  "notepad",
  "ocomm",
  "onenote",
  "mspub",
  "thunderbird",
  "agntsvc",
  "sql",
  "excel",
  "powerpnt",
  "outlook",
  "wordpad",
  "dbeng50",
  "isqlplussvc",
  "sqbcoreservice",
  "oracle",
  "ocautoupds",
  "dbsnmp",
  "msaccess",
  "tbirdconfig",
  "ocssd",
  "mydesktopservice",
  "visio"
]

Encryption process - BlackCat initially traverses the system using a cycle of FindFirstFile and FindNextFile to locate all system files:

file

file

Then ransom note is written using WriteFile to each directory:

file

Using BCryptGenRandom, the ransomware calculates a random AES key:

file

file

file

The file’s contents are written to the file using ReadFile and WriteFile after it has been encrypted with AES. The new file extension is listed in the BlackCat configuration.

file

We created a simple BlackCat Ransomware configuration extractor:

import hashlib
import os
import json
import binascii
import argparse
import sys
from typing import Union

class BlackCatConfig:
    def __init__(self, config: dict):
        self.config = config

    def __str__(self):
        output = ""
        for key in self.config.keys():
            output += f"{key}: {self.config[key]}\n"
        return output

def calc_md5(data: bytes) -> str:
    hasher = hashlib.md5()
    hasher.update(data)
    return hasher.hexdigest()

def calc_sha256(data: bytes) -> str:
    hasher = hashlib.sha256()
    hasher.update(data)
    return hasher.hexdigest()

def get_file_info(file: str) -> int:
    return os.stat(file).st_size

def scan_file(data: bytes, search: bytes) -> Union[int, None]:
    return data.find(search)

def main():
    parser = argparse.ArgumentParser(description='BlackCat Ransomware conf extractor')
    parser.add_argument('-j', '--json', action='store_true', help='dump extracted config to a json file')
    parser.add_argument('file', type=str, help='path to sample')
    args = parser.parse_args()

    try:
        with open(args.file, 'rb') as f:
            data = f.read()

        print(f"file size (bytes): {get_file_info(args.file)}")
        print(f"MD5: {calc_md5(data)}")
        print(f"SHA-256: {calc_sha256(data)}")

        off = scan_file(data, binascii.unhexlify("7B22636F6E6669675F696422"))  # = {"config_id"

        if off == -1:
            print("\nunable to find config offset :(\n\n")
            sys.exit(1)

        cfg = data[off: off+8000].strip()

        if args.json:
            filename = f"blackCat_config-{calc_md5(data)}.json"
            with open(filename, 'w') as jsonOutput:
                jsonOutput.write(cfg.decode('utf-8'))
                print(f"\nwrote {len(cfg)} bytes to {filename}\n\n")

        config = BlackCatConfig(json.loads(cfg))
        print(config)

    except Exception as e:
        print(f"an error occurred: {e}")
        sys.exit(1)

if __name__ == "__main__":
    main()

After BlackCat has finished encrypting all files on the system, the desktop wallpaper is altered to direct the user to the ransom note.

file

IOC

Another samples (SHA-256):

  • 0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
  • 13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
  • 15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
  • 1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e
  • 2587001d6599f0ec03534ea823aab0febb75e83f657fadc3a662338cc08646b0
  • 28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169
  • 2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc
  • 38834b796ed025563774167716a477e9217d45e47def20facb027325f2a790d1
  • 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83
  • 40f57275721bd74cc59c0c59c9f98c8e0d1742b7ae86a46e83e985cc4039c3a5
  • 4e18f9293a6a72d5d42dad179b532407f45663098f959ea552ae43dbb9725cbf
  • 59868f4b346bd401e067380cac69080709c86e06fae219bfb5bc17605a71ab3f
  • 5bdc0fb5cfbd42de726aacc40eddca034b5fa4afcc88ddfb40a3d9ae18672898
  • 658e07739ad0137bceb910a351ce3fe4913f6fcc3f63e6ff2eb726e45f29e582
  • 731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
  • 7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487
  • 7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e
  • bd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117
  • be8c5d07ab6e39db28c40db20a32f47a97b7ec9f26c9003f9101a154a5a98486
  • c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40
  • c5ad3534e1c939661b71f56144d19ff36e9ea365fdb47e4f8e2d267c39376486
  • c8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283
  • cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae
  • f815f5d6c85bcbc1ec071dd39532a20f5ce910989552d980d1d4346f57b75f89
  • f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb

Bitcoin: 1H3JFbyiwv6YeVW7K2mVjxHgNvJdXqJxiP
Monero: 46JqTG57Pv6GBRzjM9kHyCF8XHrAo9sr8dLuvqwcGbxT92dUAW12QpgZJnu32KrTfL1BzLp2sBi9G49JyXuRaKmT6JrJL9r

Yara rules

Yara rule for BlackCat Ransomware threat hunting:

rule win_blackcat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.blackcat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 81f90a010000 7e6a 81f9e2030000 0f8fcc000000 81f90b010000 }
            // n = 6, score = 600
            //   c3                   | ret                 
            //   81f90a010000         | cmp                 ecx, 0x10a
            //   7e6a                 | jle                 0x6c
            //   81f9e2030000         | cmp                 ecx, 0x3e2
            //   0f8fcc000000         | jg                  0xd2
            //   81f90b010000         | cmp                 ecx, 0x10b

        $sequence_1 = { 85f6 0f8482000000 bb03000000 8d0437 }
            // n = 4, score = 600
            //   85f6                 | test                esi, esi
            //   0f8482000000         | je                  0x88
            //   bb03000000           | mov                 ebx, 3
            //   8d0437               | lea                 eax, [edi + esi]

        $sequence_2 = { 885405cc 48 eb19 89ca 83fa63 7fbe }
            // n = 6, score = 600
            //   885405cc             | mov                 byte ptr [ebp + eax - 0x34], dl
            //   48                   | dec                 eax
            //   eb19                 | jmp                 0x1b
            //   89ca                 | mov                 edx, ecx
            //   83fa63               | cmp                 edx, 0x63
            //   7fbe                 | jg                  0xffffffc0

        $sequence_3 = { f20f104808 8d45d4 894dec c645f004 8d4dec }
            // n = 5, score = 600
            //   f20f104808           | movsd               xmm1, qword ptr [eax + 8]
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   c645f004             | mov                 byte ptr [ebp - 0x10], 4
            //   8d4dec               | lea                 ecx, [ebp - 0x14]

        $sequence_4 = { 3d32210000 747b 3d33210000 0f8571050000 8b07 }
            // n = 5, score = 600
            //   3d32210000           | cmp                 eax, 0x2132
            //   747b                 | je                  0x7d
            //   3d33210000           | cmp                 eax, 0x2133
            //   0f8571050000         | jne                 0x577
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_5 = { b005 5e 5d c3 81f90a010000 7e6a 81f9e2030000 }
            // n = 7, score = 600
            //   b005                 | mov                 al, 5
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   81f90a010000         | cmp                 ecx, 0x10a
            //   7e6a                 | jle                 0x6c
            //   81f9e2030000         | cmp                 ecx, 0x3e2

        $sequence_6 = { 747b 3d33210000 0f8571050000 8b07 83f00a }
            // n = 5, score = 600
            //   747b                 | je                  0x7d
            //   3d33210000           | cmp                 eax, 0x2133
            //   0f8571050000         | jne                 0x577
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   83f00a               | xor                 eax, 0xa

        $sequence_7 = { b806000000 c7460400000000 894608 c70601000000 83c430 }
            // n = 5, score = 600
            //   b806000000           | mov                 eax, 6
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   c70601000000         | mov                 dword ptr [esi], 1
            //   83c430               | add                 esp, 0x30

        $sequence_8 = { 89d0 ba3e000000 897e0c f7e2 }
            // n = 4, score = 600
            //   89d0                 | mov                 eax, edx
            //   ba3e000000           | mov                 edx, 0x3e
            //   897e0c               | mov                 dword ptr [esi + 0xc], edi
            //   f7e2                 | mul                 edx

        $sequence_9 = { c6410b00 66c741090000 8b45ec 894110 c7411400000000 b801000000 8901 }
            // n = 7, score = 600
            //   c6410b00             | mov                 byte ptr [ecx + 0xb], 0
            //   66c741090000         | mov                 word ptr [ecx + 9], 0
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   894110               | mov                 dword ptr [ecx + 0x10], eax
            //   c7411400000000       | mov                 dword ptr [ecx + 0x14], 0
            //   b801000000           | mov                 eax, 1
            //   8901                 | mov                 dword ptr [ecx], eax

    condition:
        7 of them and filesize < 29981696
}

MITRE ATT&CK

T1027.002 - Obfuscated Files or Information: Software Packing
T1027 - Obfuscated Files or Information
T1007 - System Service Discovery
T1059 - Command and Scripting Interpreter
TA0010 - Exfiltration
T1082 - System Information Discovery
T1490 - Inhibit System Recovery
T1485 - Data Destruction
T1078 - Valid Accounts
T1486 - Data Encrypted For Impact
T1140 - Encode/Decode Files or Information
T1202 - Indirect Command Execution
T1543.003 - Create or Modify System Process: Windows Service
T1550.002 - Use Alternate Authentication Material: Pass The Hash

By Cyber Threat Hunters from MSSPLab:

References

MITRE ATT&CK: BlackCat
Salsa20 wikipedia
An ALPHV (BlackCat) representative discusses the group’s plans for a ransomware ‘meta-universe’
malpedia: BlackCat

Thanks for your time happy hacking and good bye!
All drawings and screenshots are MSSPLab’s