top of page

Microsoft Uncovers New Version of BlackCat Ransomware with Impacket & RemCom Tools

In recent news, Microsoft revealed the discovery of an evolved version of the BlackCat ransomware, also known by monikers ALPHV and Noberus, that now incorporates tools such as Impacket and RemCom. This advanced iteration of the malware enables better lateral movement and efficient remote code execution. The new abilities presented by the BlackCat ransomware emphasize the increased sophistication of current cyber threats faced by businesses globally.

The threat intelligence team at Microsoft has explained how Impacket, a comprehensive set of Python-based tools, has been demarcated to carry out specific harmful operations. These involve credential dumping and remote service execution modules, which significantly contribute to the broad deployment and propagation of the BlackCat ransomware within the target network infrastructure.

Supplementing Impacket's functions in this particular ransomware variant, RemCom—an open-source alternative to PsExec—facilitates in remote code execution. Interestingly, this tool has a track record of being used by threat actors from nations such as China and Iran in their malicious campaigns. This advanced version of BlackCat ransomware, first cited in July 2023, also carries hardcoded compromised credentials, which aid in lateral movement and pave the way for further ransomware deployment.

Two months prior to this revelation, IBM Security X-Force had unveiled an updated version of Blackcat—named Sphynx—which debuted in February 2023. Sphynx underscored significant improvements in terms of encryption speed and stealth, indicating ongoing endeavors by cyber criminals to innovate and upgrade their ransomware tools.

The evolution of BlackCat ransomware does not end there. It now incorporates features that surpass conventional ransomware capabilities. As suggested by IBM Security X-Force, the latest sample includes additional strings, hinting at tooling borrowed from Impacket, amounting to a comprehensive 'toolkit' of malicious capabilities.

Since its inception in November 2021, the cybercrime group behind BlackCat ransomware has exhibited a consistent evolution strategy in its operations. A recent development includes Data Leak API, an enhancement designed to amplify the visibility of its attacks. According to a Mid-Year Threat Review by Rapid7 in 2023, the group's efforts have been fruitful, culminating in as many as 212 successful attacks out of a total of 1,500 ransomware onslaughts.

BlackCat isn't the only ransomware displaying advanced features. The Cuba (also known as COLDRAW) ransomware also demonstrates usage of a sophisticated toolkit, comprising BUGHATCH (a custom downloader); BURNTCIGAR (an antimalware killer); and frameworks like Metasploit and Cobalt Strike, among others.

With ransomware becoming lucrative for financially motivated cybercriminals, the frequency and sophistication of such attacks have seen a considerable uptick during the first half of 2023 and targets not just large enterprises, but also small and medium-sized businesses. These groups adapt their modes of operation, moving away from traditional encryption and towards tactics such as triple extortion, where the perpetrators threaten to leak stolen data or launch DDoS attacks for added pressure.

Amidst these threats, at Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design, and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page