Carding 4 Carders
Professional
- Messages
- 2,729
- Reaction score
- 1,521
- Points
- 113
The BlackCat group has added a new weapon to its arsenal that.
Researchers at Palo Alto Networks Unit 42 have discovered that the cybercrime group ALPHV / BlackCat has started using a new tool called Munchkin, which uses virtual machines to secretly deploy cryptographers on network devices. Munchkin allows BlackCat to run on remote systems or encrypt SMB (Server Message Block) and CIFS (Common Internet File) network partitions.
Adding Munchkin to BlackCat's already extensive and advanced arsenal makes RAAS (Ransomware-as-a-Service) more attractive to cybercriminals looking to become BlackCat's ransomware distribution partners.
Munchkin is a customized Linux Alpine OS distribution in ISO format. After the device is compromised, hackers install VirtualBox and create a new VM using the Munchkin ISO file. The created Munchkin virtual machine includes a set of scripts and utilities that allow cybercriminals to collect passwords, spread over the network, create a BlackCat "Sphynx" cryptographer, and execute code on devices.
When the machine boots, the password is changed to one that is known only to the attacker, and the main controller module is launched using the tmux utility, which starts loading scripts for the attack. The controller module uses a built-in configuration file that provides access tokens, victim credentials, as well as configuration directives, folder and file blacklists, tasks to perform, and target hosts for encryption.
In the malware code, Unit 42 found a message from the authors of BlackCat to their partners warning them to remove the ISO image from the target systems due to the lack of configuration encryption, in order to avoid leakage of malware samples and negotiations between the ransomware and the victim.
Munchkin makes it easier for BlackCat partners to perform various tasks by bypassing security features on the victim's device. Virtual machines provide a level of isolation from the operating system, which makes them harder to detect and analyze. The choice of Alpine OS guarantees a small digital footprint, and automated operations reduce the need for manual intervention.
Munchkin's modularity, which offers various Python scripts, unique configurations, and the ability to swap payloads as needed, makes the tool easily adaptable to specific goals or campaigns.
Researchers at Palo Alto Networks Unit 42 have discovered that the cybercrime group ALPHV / BlackCat has started using a new tool called Munchkin, which uses virtual machines to secretly deploy cryptographers on network devices. Munchkin allows BlackCat to run on remote systems or encrypt SMB (Server Message Block) and CIFS (Common Internet File) network partitions.
Adding Munchkin to BlackCat's already extensive and advanced arsenal makes RAAS (Ransomware-as-a-Service) more attractive to cybercriminals looking to become BlackCat's ransomware distribution partners.
Munchkin is a customized Linux Alpine OS distribution in ISO format. After the device is compromised, hackers install VirtualBox and create a new VM using the Munchkin ISO file. The created Munchkin virtual machine includes a set of scripts and utilities that allow cybercriminals to collect passwords, spread over the network, create a BlackCat "Sphynx" cryptographer, and execute code on devices.
When the machine boots, the password is changed to one that is known only to the attacker, and the main controller module is launched using the tmux utility, which starts loading scripts for the attack. The controller module uses a built-in configuration file that provides access tokens, victim credentials, as well as configuration directives, folder and file blacklists, tasks to perform, and target hosts for encryption.
In the malware code, Unit 42 found a message from the authors of BlackCat to their partners warning them to remove the ISO image from the target systems due to the lack of configuration encryption, in order to avoid leakage of malware samples and negotiations between the ransomware and the victim.
Munchkin makes it easier for BlackCat partners to perform various tasks by bypassing security features on the victim's device. Virtual machines provide a level of isolation from the operating system, which makes them harder to detect and analyze. The choice of Alpine OS guarantees a small digital footprint, and automated operations reduce the need for manual intervention.
Munchkin's modularity, which offers various Python scripts, unique configurations, and the ability to swap payloads as needed, makes the tool easily adaptable to specific goals or campaigns.
