[MART] - Daily Diary #601 - New BlackCat Update

ctas-mat at appgate.com ctas-mat at appgate.com
Fri Sep 23 20:50:22 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

09/23/2022 - Diary entry #601:

Covered in our Daily Diaries #445 and #535, BlackCat (also known as ALPHV) is a ransomware written in Rust, active since November 2021, that operates using the double extortion method. Along with LockBit (as mentioned yesterday on Daily Diary #600), BlackCat is considered the successor of Darkside and BlackMatter, being one of the most sophisticated and technically advanced ransomware-as-a-service (RaaS) operations nowadays.

Recently, a new version of BlackCat was disclosed. The new version contains lots of updates in a tool called "Exmatter", used by BlackCat to exfiltrate data from compromised systems. Besides significant code refactoring, this update includes FTP as an exfiltration option in addition to SFTP and WebDav, and options for enumeration of processed files, as well as file eraser and self-destruction capabilities.

Another recent addition to BlackCat’s operation is the implementation of a malware called "Eamfo", which targets credentials stored in Veeam backups (credential storage software on domain controllers and cloud services). The same mechanism to steal the backup credentials from Veeam SQL databases was already used by other Ransomware gangs in the past such as LockBit and Yanluowang.

This new version shows an increase of the threat actor’s toolkit, probably driven by ex-Conti affiliates switching to BlackCat. BlackCat is expected to continue to evolve, but its development suggests that data theft and extortion remain its central focus.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>


Malware Analysis and Research Team

E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220923/1f0d9c25/attachment.htm>

More information about the MART mailing list