Malware Intelligence

Technical Analysis of ALPHV/BlackCat Ransomware

A thorough technical analysis of BlackCat ransomware, which has been causing havoc for organizations across the world. ALPHV, also known as BlackCat, is a ransomware family first seen in late 2021 and has been targeting multiple firms across industries.

May 22, 2023

min

Table of Content

Example H2

In recent years, ransomware attacks have become increasingly common, with new strains being discovered all the time. One such strain is BlackCat ransomware, which has been causing havoc for organizations across the world. ALPHV, also known as BlackCat, is a ransomware family first seen in late 2021 and has been targeting multiple firms across industries. The operators of the ransomware are seen employing double extortion techniques, which involve not only encrypting the system but also stealing sensitive files from their victims. Reportedly, another tool is used with the ransomware for stealing data.

‍

BlackCat ransomware is written in Rust and comes in the form of a command-line tool, which can be run with different arguments. It is capable of killing multiple processes and services. One of its key features is its ability to escalate privileges and bypass User Account Control (UAC). This sophisticated malware uses either AES or ChaCha20 encryption (depending on its configuration) to encrypt all the files on a victim's system. Additionally, it has sandbox evasion capabilities, making it hard to analyze the sample. The ransomware requires arguments to run, making it impossible to analyze by a sandbox. In this blog, we'll take a closer look at the characteristics and technicalities of this Rust-written ransomware.

‍

Historical Campaign Overview

It has been witnessed that attackers that use the BlackCat ransomware also reportedly use a .NET stealer tool named ExMatter, developed by the same APT group, in order to download files from the victim machine. This is what makes this attack even more formidable since this gives attackers the leverage to use a technique known as double extortion, which involves the added pressure of leaking stolen files possibly containing sensitive data. (Refer to the Appendix for a YARA rule that helps with hunting BlackCat.)

‍

Technical Analysis

The BlackCat binary comes in the form of a command-line tool that can be run using different arguments. For example:

By using –verbose, the logs created by BlackCat will be displayed on the console.
The –ui option displays a GUI-like display in the terminal window, showing the progress and information related to the files being encrypted on the system.

Screenshot of the GUI-like displayed shown upon using the UI option

‍

Out of these arguments, only one of them is essential to the execution of the binary, which is the access-token argument.

List of the arguments that can be used while running the binary

‍

Pre-Encryption Operations

As mentioned earlier, the binary will only run if it is supplied with a 32-character long access token. It uses the GetCommandLineW API in order to check whether the access token is correctly supplied.

Using GetCommandLineW to check whether the access token is correctly supplied

‍

Depending on the version of the Ransomware, this token can either be random (like in this sample), or as seen in the latest versions, this access token is a 32-character key used to encrypt the configuration of the Ransomware embedded within the binary. Latest versions do this in order to stop security researchers from extracting the configuration. This also serves as an anti-sandboxing measure, since automated analysis tools will not be able to execute the sample unless they are configured to supply the access token.

‍

Ransom Note

Once the access token is supplied to the binary, the Ransomware proceeds by decrypting the ransom note embedded within the binary and storing it for later use. It also sets the ransom note as the Desktop wallpaper.

‍

After this, the Ransomware prepares itself to escalate privileges by creating a new thread using the CreateThread API.

‍

Privilege Escalation & UAC Bypass

BlackCat ransomware performs a UAC bypass by abusing Microsoft COM (component object model). This attack involves using COM objects of a binary known as Microsoft CMSTP (Connection Manager Profile Installer), particularly the CMSTPLUA interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7}.

‍

The ransomware uses CoGetObject to register itself with the CLSID {3E5FC7F9-9A51-4367-9063-A120244FBEC7}, which is legitimately used to execute applications with elevated privileges. This technique allows it to bypass the UAC prompt and perform its malicious actions without being detected or blocked by the system's security measures.

Using CoGetObject to register itself with {3E5FC7F9-9A51-4367-9063-A120244FBEC7} in order to gain elevated privileges

‍

Once the ransomware elevates privileges, it executes within the newly created thread and carries its arguments forward from its previous instance.

*BlackCat executes itself within the new thread with elevated privileges using the same arguments as before*

‍

After this, BlackCat uses the LookupPrivilegeValueW API in order to look for local identifiers for a list of privileges. Each of these privileges enables the running process to run system-level operations. (Refer to the Appendix for a complete list and description of each privilege). The binary then uses AdjustTokenPriveleges in order to grant itself those privileges.

‍

*List of privileges sought out by BlackCat*

‍

*Using LookupPrivilegeValueW and AdjustTokenPrivileges in order to grant itself privileges*

‍

Finally, BlackCat ends its preparation for encryption by doing the following:

Deleting all volume shadow copies using vssadmin and wmic commads, thus making data recovery much harder.
Disabling Automatic Repair using bcdedit, in order to prevent the recovery of system-related files.
Clearing event logs.
Terminating all active services and processes.

Note: BlackCat has its configuration embedded within itself and decrypts it at runtime. The configuration contains information about the public key to be used in order to encrypt the key, any specific services to terminate, an exception list, etc.

‍

*Screenshot displaying the BlackCat configuration*

‍

Data Encryption

The sample of BlackCat utilized for this analysis employs AES for encryption. The steps involved in encrypting are as follows:

BlackCat first traverses the system by using a loop of FindFirstFile and FindNextFIle in order to find all the files on the system.
The ransom note is written to each directory using WriteFile.

*Screenshot of the* ransom note left by BlackCat

‍

Using BCryptGenRandom, the ransomware calculates a random AES key.
A JSON block is created for each file, which contains the AES key that is used to encrypt the file, and information about the file.

JSON block containing information about the key and file

‍

The AES key is further encrypted using the RSA public key stored in the BlackCat configuration.
The file is encrypted using AES, and the contents are written to the file using ReadFile and WriteFile. The new extension of the file is mentioned in the BlackCat configuration.

‍

Post-Encryption Operations

Once BlackCat is done encrypting all files on the system, the Desktop wallpaper is changed, instructing the user to refer to the ransom note.

‍

The .onion URL specified in the ransom note is unique to each victim, as each sample uses a different access token, supplied to the URL as a parameter. The onion URL contains information about the files encrypted/stolen and instructions on how to pay the ransom.

‍

Indicators of Compromise (IoCs)

SHA256

847FB7609F53ED334D5AFFBB07256C21CB5E6F68B1CC14004F5502D714D2A456

3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1

9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26

f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083

‍

Appendix

List of Security Privileges & Responsibilities Targeted by BlackCat

Security Privilege	Responsibility
SeIncreaseQuotaPrivilege	Allows a process to increase the memory quota assigned to it.
SeSecurityPrivilege	Allows a process to read or modify the security settings of objects in the system.
SeTakeOwnershipPrivilege	Allows a process to take ownership of any object in the system.
SeLoadDriverPrivilege	Allows a process to load device drivers.
SeSystemProfilePrivilege	Allows a process to gather profiling information for the entire system.
SeSystemtimePrivilege	Allows a process to change the system time.
SeProfileSingleProcessPrivilege	Allows a process to profile a single process.
SeIncreaseBasePriorityPrivilege	Allows a process to increase the base priority of a thread.
SeCreatePagefilePrivilege	Allows a process to create a pagefile.
SeBackupPrivilege	Allows a process to perform backup and restore operations.
SeRestorePrivilege	Allows a process to restore backed-up objects.
SeShutdownPrivilege	Allows a process to shut down the system.
SeDebugPrivilege	Allows a process to debug other processes.
SeSystemEnvironmentPrivilege	Allows a process to modify system environment variables.
SeChangeNotifyPrivilege	Allows a process to receive notifications when an object is modified.
SeRemoteShutdownPrivilege	Allows a process to shut down remote systems.
SeUndockPrivilege	Allows a process to undock a laptop computer.
SeManageVolumePrivilege	Allows a process to manage volume and disk configurations.
SeImpersonatePrivilege	Allows a process to impersonate other users or groups.

YARA Rule for BlackCat Threat Hunting


rule win_blackcat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.blackcat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 81f90a010000 7e6a 81f9e2030000 0f8fcc000000 81f90b010000 }
            // n = 6, score = 600
            //   c3                   | ret                 
            //   81f90a010000         | cmp                 ecx, 0x10a
            //   7e6a                 | jle                 0x6c
            //   81f9e2030000         | cmp                 ecx, 0x3e2
            //   0f8fcc000000         | jg                  0xd2
            //   81f90b010000         | cmp                 ecx, 0x10b

        $sequence_1 = { 85f6 0f8482000000 bb03000000 8d0437 }
            // n = 4, score = 600
            //   85f6                 | test                esi, esi
            //   0f8482000000         | je                  0x88
            //   bb03000000           | mov                 ebx, 3
            //   8d0437               | lea                 eax, [edi + esi]

        $sequence_2 = { 885405cc 48 eb19 89ca 83fa63 7fbe }
            // n = 6, score = 600
            //   885405cc             | mov                 byte ptr [ebp + eax - 0x34], dl
            //   48                   | dec                 eax
            //   eb19                 | jmp                 0x1b
            //   89ca                 | mov                 edx, ecx
            //   83fa63               | cmp                 edx, 0x63
            //   7fbe                 | jg                  0xffffffc0

        $sequence_3 = { f20f104808 8d45d4 894dec c645f004 8d4dec }
            // n = 5, score = 600
            //   f20f104808           | movsd               xmm1, qword ptr [eax + 8]
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   c645f004             | mov                 byte ptr [ebp - 0x10], 4
            //   8d4dec               | lea                 ecx, [ebp - 0x14]

        $sequence_4 = { 3d32210000 747b 3d33210000 0f8571050000 8b07 }
            // n = 5, score = 600
            //   3d32210000           | cmp                 eax, 0x2132
            //   747b                 | je                  0x7d
            //   3d33210000           | cmp                 eax, 0x2133
            //   0f8571050000         | jne                 0x577
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_5 = { b005 5e 5d c3 81f90a010000 7e6a 81f9e2030000 }
            // n = 7, score = 600
            //   b005                 | mov                 al, 5
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   81f90a010000         | cmp                 ecx, 0x10a
            //   7e6a                 | jle                 0x6c
            //   81f9e2030000         | cmp                 ecx, 0x3e2

        $sequence_6 = { 747b 3d33210000 0f8571050000 8b07 83f00a }
            // n = 5, score = 600
            //   747b                 | je                  0x7d
            //   3d33210000           | cmp                 eax, 0x2133
            //   0f8571050000         | jne                 0x577
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   83f00a               | xor                 eax, 0xa

        $sequence_7 = { b806000000 c7460400000000 894608 c70601000000 83c430 }
            // n = 5, score = 600
            //   b806000000           | mov                 eax, 6
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   c70601000000         | mov                 dword ptr [esi], 1
            //   83c430               | add                 esp, 0x30

        $sequence_8 = { 89d0 ba3e000000 897e0c f7e2 }
            // n = 4, score = 600
            //   89d0                 | mov                 eax, edx
            //   ba3e000000           | mov                 edx, 0x3e
            //   897e0c               | mov                 dword ptr [esi + 0xc], edi
            //   f7e2                 | mul                 edx

        $sequence_9 = { c6410b00 66c741090000 8b45ec 894110 c7411400000000 b801000000 8901 }
            // n = 7, score = 600
            //   c6410b00             | mov                 byte ptr [ecx + 0xb], 0
            //   66c741090000         | mov                 word ptr [ecx + 9], 0
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   894110               | mov                 dword ptr [ecx + 0x10], eax
            //   c7411400000000       | mov                 dword ptr [ecx + 0x14], 0
            //   b801000000           | mov                 eax, 1
            //   8901                 | mov                 dword ptr [ecx], eax

    condition:
        7 of them and filesize < 29981696
}