BlackCat Ransomware: analysis of the evolution of the threat

Important elements of the analysis:  

  • Date of compilation of the sample examined  
  • Analysis of differences between the specific sample of this analysis and older samples  
  • Logging of the ransomware infection cycle  
  • Rust scripts execution  
  • Configuration of BlackCat ransomware  
  • SMB shares and PsExec propagation  
  • Execution of IIS servers services termination commands  
  • Evidence of bcdedit command executions  
  • RSA objects used during BlackCat Ransomware infection 

INTRODUCTION 

BlackCat is a ransomware gang of russian origin that began its cybercrime activities in November 2021.  

The specific sample under analysis was compiled on 23rd January 2023 and has some different characteristics compared to older BlackCat Ransomware samples. In detail, there is more attention paid to the use of access privilege gaining functions, such as SeSecurityPrivilege, SeTakeOwnershipPrivilege, but also to the loading of drivers, SeLoadDriverPrivilege. In addition, there appear to be some TLS callbacks within the .text section, which allow the initialization code of each thread to be executed immediately.  

From the analysis carried out, there seems to be more attention paid to the logging and “verbose” phase, but above all to the control of files that have already been encrypted or files already used by other external processes. 

Also known as ALPHV Ransomware, it has always targeted a very effective evasion context, specifically the language and programming structure of the threat that uses Rust scripting functions. As for the victims of ransomware, the target sectors mainly concern Aviation, Construction, Education, Energy, Entertainment, Fashion, Financial Services, Government, Hospitality, Information Technology, and Transportation. The countries affected are: United States, Australia, Canada, China, France, Germany, India, Italy, Japan, Romania, Spain, Taiwan and the United Kingdom. [0] 

BlackCat Ransomware TTPs Matrix:

STATIC ANALYSIS AND INSPECTION 

In the present analysis, a sample of BlackCat Ransomware (Hash: 51f8e4c4ff2163b9e1853cf0b7aa5ed8) was taken in consideration. The malware was developed using GNU Binutils. From the extracted strings, it is possible to observe logging evidences associated with various modules contained within the threat: e.g. Logger, Supervisor, Discoverer, File Processing and File Unlocker, but also BCryptGen, which as we shall see later will be crucial for the generation of certain main attributes for the encryption phase of target files. 

The sample has been compiled on 23rd January 2023:

The ransomware has the following packing compatible sections: .text, .rdata and .reloc. Importantly, most of the references to the main functions and contexts of Rust scripts execution are contained within the .rdata section, not .text. This denotes a reliance of BlackCat Ransomware’s execution contexts on external Rust scripts, rather than having functions within the .text section and therefore executable directly.

Following is the distribution of the PE sections:

The .rdata section is fundamental since it is used as a “support section” in order to execute the infection and encryption functions, there are also several JE, JB and LOOPNE instructions. The LOOPNE instruction can be used to form an execution loop, as long as the values are different.

BlackCat Ransomware performs encryption subroutines based on JSON encoded configurations, which contain boolean values for each configuration attribute. For example, it is possible to view options referring to “config_id”, “extension”, “public_key”, etc. It is possible to run BlackCat Ransomware via an access token and specify for instance the target option for network shares, the verbose mode or whether the attacker wishes to log all encryption and infection processes to a log file. This is followed by some references to attributes of the configuration in question, the cleaning operation of the Windows event log by the threat; as well as the dropping of the ransomware wallpaper and ransomware notes, intended for victims.

Here are some references pertaining to the deletion of shadow copies (carried out by means of the vssadmin.exe and wmic.exe processes, the latter of which is also used, among other things, to obtain information and individualizing details of the compromised machine and domain user).

There is a configuration structure constructed as follows: ${EXTENSION}${ACCESS_KEY}{NOTE_FILE_NAME}.png, the configuration in question takes in consideration the ACCESS_KEY key, which will then be used for the ransom website in order to uniquely identify the compromised infrastructure. Details on the AES ChaCha20 encryption algorithm follow.

Below is some evidence of enumeration actions on the NetBIOS protocol and null shares IPC$. Within the malware configuration, it is possible to specify the deletion of snapshots of virtual machines and how they interact and infect VM and ESXi instances. In the screenshot below there is a precise reference to the ACCESS_TOKEN attribute, which is fundamental in order to allow the ransomware to execute and take encryption, logging and configuration actions.

BlackCat Ransomware performs UAC bypass thus circumventing the Windows User Access Control protection module, which could actually prevent malicious execution. There is a rather large number of functions that can be used for the purpose of obtaining more execution privileges and loading drivers. By way of example, we note the functions SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege and SeSystemProfilePrivilege. There is a privilege token context of threads with the attribute “elevated_thread_token”.

Following are some references to the ransomware’s checks for any empty or already encrypted files, as well as the necessary access_token variable.

Within the extracted strings we can see the call of the wevtutil.exe process that is used to delete the Windows event logs, with the precise aim of making a possible investigation and incident response operation more difficult. There are a number of file extensions that are “skipped” during the encryption phase but are nevertheless taken into account in the event of data extortion, if the ransom payment is not made. A key element of BlackCat’s execution involves the invocation of an obfuscated Base64 script via the iisreset.exe process, which stops all SQL services of targeted IIS servers.

By decoding the executed command, we can observe the foreach cycle of service enumeration and identification of the “sql” service:

Next are some references to UDP Sockets and localhost 127.0.0.1, within this context are attributes associated with client, server and protocol_recv; as well as the enumeration of services specified with the “enum_services” attribute:

Here, execution of assertions and checks can be associated with certain Rust libraries used for the locker module, which is essential for file encryption. The “bcdedit” command, on the other hand, is most likely used for the purpose of Windows Boot Safe Mode to enable the proper handling of files that could potentially be used by other processes.

In order to make connections to network shares, the net use /user command is executed:

Below is the evidence of the execution of registry and service deletion commands, namely “reg delete” (with force “/f” option) and “sc delete”. Within the ransomware configuration there are references to “kill_all” and “kill”:

The “placeholders” of the start and end of the infection configuration, as well as PsExec executions and the library/locker/src/core/access_key.rs script are highlighted:

BlackCat Ransomware makes use of a number of functions to manage the changing of information and configuration details of certain services (ChangeServiceConfigW), enumeration of services (EnumServicesStatusExW), creation of processes using users and tokens (CreateProcessWithTokenW, CreateProcessAsUserW).

The deletion of certain registry keys is potentially related to the corruption and closure action of specific tools, such as Veeam Backup.

Further details on sockets follow, including the action of connecting, listening and obtaining socket names.

Here a reference to the registry key located in HKEY_LOCAL_MACHINE pertaining to LanmanServer, server instance service:

Calls to files of type .backup, which are probably saved temporarily, are observed, with the logging string “Skipping couldn’t backup”:

Below are some strings referring to invalid configuration errors, invalid public key and incorrect access token.

The ransomware also mounts hidden partitions:

This is followed by further file extensions such as BMP and MPG:

Within the .rdata section are details referring to the verification and catching of decryption errors during threat execution:

Here is evidence of the structure of the RSA public key, used for the encryption phase of the victim’s files. The public key is itself encrypted.

A file inspection reveals the following suspicious attributes: the particularity of PE and encryption sections, but also the handling of tasks related to desktop administration, WMI executions and Base64 encoding.

Here are some details about the imports made by Portable Executable, the libraries are used for multiple purposes, such as: managing machine services, the SID of the domain user, BCrypt random generation, creating processes using specific process tokens, creating Hard Links and Symbolic Links, SMB shares connections, sockets connections, file enumeration loops and obtaining the user profile folder and Desktop Wallpaper.

Within the hexadecimal code of the threat, we can see a detail describing an error relating to the impossibility of sending data via a socket object.

Within the .text section, there is evidence of TLS callbacks, so they are “calls” that allow each thread to execute initialization code:

Below are some evidences gathered during a BlackCat Ransomware debugging session, where the presence of calls to .rs scripts, in particular to the locker library, as well as the configuration of batch scripts dropping is observed:

Here are the execution details of the iisreset.exe command with obfuscated parameters, used to terminate SQL services of IIS servers:

Here the deletion of shadow copies through the command “Delete Shadows /all”:

Below is a detail of the localhost parameter in the infection context:

Following is the execution of the command “net use /user” to proceed with the infection of network shares:

Following are the details of what is potentially the public key encrypted within an encrypted file. The individualizing hexadecimal pattern of the key turns out to be 19 47 ba 86:

Here are the details of an example of an execution log of BlackCat Ransomware, which shows the termination of several specific processes and services, such as MVArmor, Veeam Backup, etc:

The “Main Loop” pattern identifies a key session of the infection chain, as it can be identified just before the start of encryption of the target files:

At the same time as the “Main loop”, the stack.rs script of the locker library is called up:

Following is an attempt to debug and obtain the structure “RsaPrivateKeypubkey_components”. A breakpoint was set just before a push instruction referring to the structure just mentioned.

Here is a memory dump operation of the execution in question:

IOCs:

51f8e4c4ff2163b9e1853cf0b7aa5ed8

64e39d15c100e0752e7262df6d45b9fb2ce57e9bd66b63158e5aeb0e96d29f23

psexec.exepsexec_args

runneradmin

YARA Rule:

rule BlackCatRule {

strings:

 $black_str = “runneradmin”

$black_hex = { 19 47 BA 86 }

condition: $black_str or $black_hex

}

CONCLUSIONS:

BlackCat Ransomware was first detected in the wild in November 2021, yet it is still the protagonist of large-scale attacks today.

The threat possesses characteristics and peculiarities that are also common to others ransomware, such as the use of Cobalt Strike for deployment and infection phase, the use of PsExec for command propagation and persistence of scheduled tasks, credential stealing and dumping using Mimikatz and Lazagne.

What differentiates BlackCat from other types of ransomware is the structural use of external Rust scripts. From 2022 on, there are new threats within the threat landscape that increasingly emulate the crucial use of external scripting platforms in order to avoid detection by security solutions. We can therefore foresee the evolution of future threats that use evasion techniques, putting the most modern antivirus and EDR solutions to the test, not only relying on packing and obfuscation techniques, but also on increasingly effective ways of fileless infections, as well as multistage malware phase, involving a malicious code structure in multiple programming languages. This allows, among other things, the potential use of a huge number of libraries that, combined, make up the overall malicious execution.

A further curious and peculiar feature of BlackCat Ransomware lies in the fact that it possesses a rather large size, which may be attributable to the execution context that relies on Rust scripts.

References:

[0] (ransomware gang introduction): BlackCat Ransomware Gang (picussecurity.com) [1] (image): BlackCat Ransomware Gang (picussecurity.com)

Lockbit and Babuk Ransomware Data Leaks analysis
SwiftSlicer: Malware Analysis

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.