• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
new blackcat ransomware variant adopts advanced impacket and remcom tools

New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools

You are here: Home / General Cyber Security News / New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools
August 18, 2023

Microsoft on Thursday disclosed that it identified a new variation of the BlackCat ransomware (aka ALPHV and Noberus) that embeds resources like Impacket and RemCom to aid lateral movement and distant code execution.

“The Impacket tool has credential dumping and remote assistance execution modules that could be used for wide deployment of the BlackCat ransomware in focus on environments,” the firm’s risk intelligence staff stated in a sequence of posts on X (previously Twitter).

“This BlackCat edition also has the RemCom hacktool embedded in the executable for remote code execution. The file also is made up of hardcoded compromised concentrate on qualifications that actors use for lateral movement and further ransomware deployment.”

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


RemCom, billed as an open up-source alternate to PsExec, has been put to use by Chinese and Iranian country-state threat actors like Dalbit and Chafer (aka Remix Kitten) to shift across the sufferer environments in the past.

Redmond said it started out observing the new variant in attacks done by a BlackCat affiliate in July 2023.

Cybersecurity

The advancement arrives more than two months soon after IBM Security X-Power disclosed facts of the updated edition of BlackCat, termed Sphynx, that very first emerged in February 2023 with improved encryption velocity and stealth, pointing to continued initiatives made by danger actors to refine and retool the ransomware.

“The BlackCat ransomware sample has much more than just ransomware operation but can perform as a ‘toolkit,'” IBM Security X-Power pointed out in late May possibly 2023. “An further string implies that tooling is based on tools from Impacket.”

The cybercrime group, which launched its procedure in November 2021, is marked by frequent evolution, getting most lately unveiled a facts leak API to boost the visibility of its attacks. According to Immediate7’s Mid-Yr Danger Evaluate for 2023, BlackCat has been attributed to 212 out of a total of 1,500 ransomware attacks.

It can be not just BlackCat, for Cuba (aka COLDRAW) ransomware threat team has also been observed employing a thorough attack toolset encompassing BUGHATCH, a tailor made downloader BURNTCIGAR, an antimalware killer Wedgecut, a host enumeration utility Metasploit and Cobalt Strike frameworks.

BURNTCIGAR, in individual, capabilities beneath-the-hood modifications to incorporate a hashed hard-coded listing of qualified processes to terminate, probably in an try to impede evaluation.

A single of the attacks mounted by the team in early June 2023 is said to have weaponized CVE-2020-1472 (Zerologon) and CVE-2023-27532, a large-severity flaw in Veeam Backup & Replication computer software that has been beforehand exploited by the FIN7 gang, for preliminary obtain.

Canadian cybersecurity business BlackBerry claimed it marks the group’s “very first observed use of an exploit for the Veeam vulnerability CVE-2023-27532.”

“The Cuba ransomware operators go on to recycle network infrastructure and use a core established of TTPs that they have been subtly modifying from campaign to campaign, usually adopting readily out there components to update their toolset each time the possibility occurs,” it included.

Ransomware remains a major cash-spinner for monetarily motivated risk actors, rising the two in sophistication and quantity in the first 50 percent of 2023 than all of 2022 inspite of intensified regulation enforcement attempts to choose them down.

Cybersecurity

Some teams have also started relocating absent from encryption to pure exfiltration and ransom or, alternatively, resorting to triple extortion, in which the attacks go beyond information encryption and theft to blackmail a victim’s workforce or prospects and carry out DDoS attacks to place more tension.

An additional notable tactic is the focusing on of managed service companies (MSPs) as entry factors to breach downstream corporate networks, as evidenced in a Play ransomware campaign aimed at finance, software package, authorized, and transport and logistics industries, as well as state, nearby, tribal and territorial (SLTT) entities in the U.S., Australia, U.K., and Italy.

The attacks leverage “Distant Monitoring and Management (RMM) software package used by support companies to get direct obtain to a customer’s setting, bypassing the vast majority of its defenses,” Adlumin said, granting risk actors unfettered, privileged entry to networks.

The repeated abuse of legitimate RMM computer software by threat actors has led the U.S. government to release a Cyber Defense Plan to mitigate threats to the RMM ecosystem.

“Cyber menace actors can achieve footholds through RMM software into managed assistance vendors (MSPs) or handle security services suppliers (MSSPs) servers and, by extension, can induce cascading impacts for the modest and medium-sized businesses that are MSP/MSSP clients,” the U.S. Cybersecurity and Infrastructure Security Company (CISA) cautioned.

Observed this article fascinating? Follow us on Twitter  and LinkedIn to read a lot more distinctive content we write-up.


Some areas of this article are sourced from:
thehackernews.com

Previous Post: «google chrome's new feature alerts users about auto removal of malicious Google Chrome’s New Feature Alerts Users About Auto-Removal of Malicious Extensions
Next Post: New Wave of Attack Campaign Targeting Zimbra Email Users for Credentials Theft new wave of attack campaign targeting zimbra email users for»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • New HTTPBot Botnet Launches 200+ Precision DDoS Attacks on Gaming and Tech Sectors
  • Top 10 Best Practices for Effective Data Protection
  • Researchers Expose New Intel CPU Flaws Enabling Memory Leaks and Spectre v2 Attacks
  • Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks
  • [Webinar] From Code to Cloud to SOC: Learn a Smarter Way to Defend Modern Applications
  • Meta to Train AI on E.U. User Data From May 27 Without Consent; Noyb Threatens Lawsuit
  • Coinbase Agents Bribed, Data of ~1% Users Leaked; $20M Extortion Attempt Fails
  • Pen Testing for Compliance Only? It’s Time to Change Your Approach
  • 5 BCDR Essentials for Effective Ransomware Defense
  • Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers

Copyright © TheCyberSecurity.News, All Rights Reserved.