News Report: ALPHV/BlackCat Cybercrime Group Utilizes New Tool for Encryption
Researchers from Palo Alto Networks Unit 42 have uncovered the usage of a new tool by the cybercriminal group ALPHV/BlackCat. The tool, called munchkin, enables secretive deployment of encryptions on network devices using virtual machines (Unit 42).
By integrating munchkin with their already extensive arsenal, BlackCat makes Raas (Ransomware-AA-A-Service) more appealing to cybercriminals who seek to partner with BlackCat for the distribution of extortion.
Munchkin is a customized Linux Alpine OS distribution in ISO format. After compromising a device, hackers install Virtualbox and create a new virtual machine using the Munchkin ISO file. This virtual machine, referred to as Virtual Munchkin, contains a collection of scripts and utilities that allow cybercriminals to gather passwords, propagate across networks, generate a BlackCat “Sphynx” code, and execute the code on devices.
Upon booting the machine, the password changes to one known only to the attacker. The main Controller module then initiates using the TMUX utility, loading attack scripts. The Controller module leverages the built-in configuration file, which provides access tokens, accounting data, configuration directives, blacklists of folders and files, execution tasks, and target hosts for encryption.
The Unit 42 team discovered a message from BlackCat authors within the malicious code, warning partners about the importance of removing the ISO image from target systems due to the lack of encryption of the configuration. This precaution aims to prevent the leakage of malicious software and negotiations between extortionists and victims.
Munchkin facilitates various tasks for BlackCat partners by bypassing victim device protections. The utilization of virtual machines ensures a higher level of isolation from the operating system, making detection and analysis more challenging. The choice of Alpine OS further contributes to a smaller digital footprint, while automated operations minimize the need for manual intervention.
The flexibility of Munchkin, providing Python scripts, unique configurations, and the ability to replace payloads as needed, allows the tool to be