A Deep Dive into the Techniques, Tools, and Procedures of the Recent BlackCat Attack
Cybersecurity threats continue to evolve, posing significant risks to organizations around the world. A case in point is the recent BlackCat (aka ALPHV) cyberattack. This article provides an in-depth analysis of the tactics, techniques, and procedures (TTPs) used in the attack, including the use of malvertising as an entry vector and the leveraging of the SpyBoy Terminator.
Initial Access and Malware Distribution
The BlackCat attackers used malvertising to distribute malware through cloned webpages of legitimate organizations. In this particular attack, the threat actors targeted the well-known application WinSCP. The malware was distributed to unsuspecting users via a malicious advertisement that appeared in search results when users searched for "WinSCP Download" on the Bing search engine. Upon clicking the "Download" button on the malicious website, the user's system initiated the download of an ISO file containing the malware.
Infection Chain and Persistence
The infection chain started with the user downloading and mounting the ISO file, which contained two files: setup.exe and msi.dll. The execution of setup.exe led to the call of msi.dll, which then extracted a Python folder from the DLL RCDATA section. This resulted in two installations of Python3.10 on the system, one legitimate and the other trojanized. The malicious Python file then created a persistence mechanism through a run key named "Python".
Command and Control (C&C) and Payload Delivery
Upon execution, the trojanized Python file connected to a Cobalt Strike beacon. It then used a series of C&C servers to obtain the main beacon module, which was used to execute malicious activities within the victim's network. The malware also created multiple scheduled tasks executing batch files, leading to in-memory execution of Cobalt Strike beacons.
Discovery and Enumeration
The threat actors used several tools for discovery and enumeration in the victim's environment, including AdFind, AccessChk64, and findstr. They also utilized PowerShell scripts to gather user information and save it into a CSV file. The attackers used these tools to fetch information on the operating system, gather user data, and identify files, directories, or services with weak access control settings.
Lateral Movement and Privilege Escalation
The threat actors used PsExec, BitsAdmin, and curl to download additional tools and move laterally across the environment. They also attempted to escalate privileges using a Python script containing the marshal module to execute a pseudo-compiled code for LaZagne.
Persistence and Evasion
The attackers installed the AnyDesk remote management tool in the environment to maintain persistence. They also attempted to disable or bypass antivirus or antimalware programs installed on the target system through a KillAV BAT script.
The BlackCat (aka ALPHV) attack exemplifies the increasingly sophisticated cyber threats organizations face today. Proactive response and comprehensive security measures are critical to mitigate the risks posed by such attacks. By understanding the TTPs used in these attacks, organizations can better prepare and defend themselves against future threats.