Heimdal
article featured image

Contents:

Researchers at Microsoft discovered a new version of the BlackCat ransomware. Dubbed ‘Sphynx’, this version embeds the Impacket networking framework and the Remcom hacking tool, both enabling spreading laterally across a breached network.

Back in April, the cybersecurity researcher VX-Underground tweeted about a new BlackCat/ALPHV encryptor version called Sphynx after seeing a message BlackCat sent to their affiliates announcing that the testing phase of the basic features is complete.

What We Know About BlackCat’s Newest Version?

As reported by BleepingComputer, cybersecurity experts performed a deep dive into the new BlackCat encryptor, warning that the encryptor evolved into a toolkit. This was predicated on strings in the executable that showed Impacket, a tool used for post-exploitation tasks including remote execution and secret dump from processes, was present.

The Microsoft Threat Intelligence team claims to have examined the latest Sphynx version and discovered that it utilized the Impacket framework to expand laterally on infected networks in a series of postings.

Microsoft has observed a new version of the BlackCat ransomware being used in recent campaigns. This version includes the open-source communication framework tool Impacket, which threat actors use to facilitate lateral movement in target environments.

Microsoft on BlackCat Sphynx (Source)

Impacket is described as an open-source collection of Python classes for working with network protocols. Penetration testers, members of red teams, and threat actors, on the other hand, utilize it more frequently as a post-exploitation toolset to perform NTLM relay attacks, move laterally on a network, and much more.

Threat actors that infiltrate a device on a network are increasingly using Impacket to obtain elevated credentials and access more devices. Microsoft claims that the BlackCat operation is deploying the encryptor across a network utilizing the Impacket framework for credential duping and remote service execution.

Microsoft claims that in addition to Impacket, the encryption tool also incorporates the Remcom hacking tool, a tiny remote shell that enables the encryption tool to remotely control other networked devices.ransomware note used by the blackcat/alphv threat group

BlackCat Ransom Note (Source)

This evolution proves again that BlackCat/ALPHV is one of the most active and advanced ransomware operations, constantly evolving its operations with new tactics.

By transitioning from a decryptor to a complete post-exploitation toolkit, the BlackCat encryptor enables the ransomware affiliates to introduce file encryption throughout the network.

The addition of these technologies simply makes it more difficult for defenders, as it is crucial to identify ransomware attacks as soon as they take place.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE