The operation ransomware BlackCat/ALPHVin recent days, has revealed a change in strategy that is worrying security experts.
We are talking about the introduction of a new tool, known as Munchkincapable of using virtual machines to stealthily deploy encryption to victim devices.
Munchkin allows BlackCat to run on remote systems or perform encryption operations on infected devices. The introduction of this tool into BlackCat’s already large and advanced arsenal makes this happen RaaS even more attractive to cyber criminals who try to become affiliates of this ransomware.
Unit 42 Of Palo Alto Networks discovered that BlackCat’s new Munchkin tool is nothing more than a customized Linux distribution of Alpine OS supplied as file ISO. After compromising a device, threat actors install VirtualBox and create a new virtual machine using the Munchkin ISO.
BlackCat, with Munchkin is even more fearsome
This Munchkin virtual machine includes a suite of scripts and utilities that allow threat actors to download passwords, spread them laterally across the network, create a BlackCat Sphynx encryption payload, and execute programs on network computers.
On startup, change the root password into one known only to the attackers and exploits the utility tmux to execute a malware binary code (based on Rust) called controller which starts loading the scripts used in the attack.
The just mentioned controller uses the bundled configuration file, which provides access token, victim’s credentialsas well as configuration directives, folder/file blocklist and not only.
This configuration is used to generate custom BlackCat encoder executable files in the directory /payloads/which are then sent to remote devices to encrypt files or perform other malicious actions.
In fact, the introduction of Munchkin marks a further improvement that makes one of the most infamous ransomware on the world scene even more dangerous.