A new iteration of the BlackCat ransomware was recently unveiled by Microsoft’s researchers. Termed ‘Sphynx’, this variant incorporates the Impacket networking framework and the Remcom hacking tool.
These additions empower the ransomware to propagate laterally within compromised networks.
During the month of April, VX-Underground, a cybersecurity researcher, took to Twitter to share news about a fresh iteration of the BlackCat/ALPHV encryptor. This updated version, named Sphynx, came into the spotlight after VX-Underground observed a communication from BlackCat to its affiliates, indicating the successful conclusion of the testing phase for its fundamental functionalities.
BlackCat’s Sphynx ransomware
BleepingComputer reported that cybersecurity analysts delved into the latest BlackCat encryptor, cautioning that it has transformed into a toolkit.
This assessment was based on the presence of strings in the executable code that indicated the inclusion of Impacket, a tool employed for post-exploitation activities such as remote execution and extracting secrets from processes.
The Microsoft Threat Intelligence team claims to have examined the latest Sphynx version and discovered that it utilized the Impacket framework to expand laterally on infected networks in a series of postings.
Impacket is an open-source Python class assortment for network protocols. However, it’s often used by penetration testers, red teamers, and threat actors as a post-exploitation toolkit, enabling actions like NTLM relay attacks and network lateral movement.
Hackers breaking into network devices now favor Impacket to gain higher-level credentials and reach more devices. Microsoft states that the BlackCat operation is spreading the encryptor using Impacket to deceive credentials and execute services remotely.
Microsoft claims that in addition to Impacket, the encryption tool also incorporates the Remcom hacking tool, a tiny remote shell that enables the encryption tool to remotely control other networked devices.
Once more, the evolution demonstrates that BlackCat/ALPHV stands out as a dynamic and sophisticated ransomware operation, consistently refining its strategies.
Shifting from a decryptor to a comprehensive post-exploitation toolkit, the BlackCat encryptor empowers its affiliates to encrypt files across the network.