BlackCat ransomware uses new ‘Munchkin’ Linux VM in stealthy attacks

BlackCat ransomware uses new ‘Munchkin’ Linux VM in stealthy attacks

October 19, 2023 at 05:46PM

BlackCat/ALPHV ransomware is using a new tool called ‘Munchkin’ to deploy encryptors on network devices stealthily. The tool runs on virtual machines and allows threat actors to dump passwords, spread on the network, build encryptor payloads, and execute programs on computers. Munchkin makes the ransomware operation more attractive to cybercriminals.

Key takeaways from the meeting notes:

1. The BlackCat/ALPHV ransomware group has introduced a new tool called ‘Munchkin’ that uses virtual machines to deploy encryptors on network devices stealthily.
2. Munchkin allows BlackCat to run on remote systems and encrypt SMB or CIFS network shares.
3. Munchkin is a customized Alpine OS Linux distribution that comes as an ISO file. After compromising a device, threat actors install VirtualBox and create a virtual machine using the Munchkin ISO.
4. The Munchkin virtual machine contains scripts and utilities that enable threat actors to dump passwords, spread laterally on the network, build a BlackCat encryptor payload, and execute programs on network computers.
5. The root password of the Munchkin machine is known only to the attackers, and a Rust-based malware binary named ‘controller’ is executed during boot.
6. The ‘controller’ uses a configuration file that provides access tokens, victim credentials, and encryption directives. Custom BlackCat encryptor executables are generated based on this configuration and pushed to remote devices.
7. BlackCat’s authors warn their partners about leaving the Munchkin ISO on target systems due to the lack of encryption for the configuration, which could lead to chat access token leakage.
8. Affiliates are instructed to delete the Munchkin virtual machines and ISOs to prevent access token leakage and protect the negotiation chat between the ransomware gang and its victims.
9. Munchkin allows BlackCat ransomware affiliates to bypass security solutions due to the isolation provided by virtual machines, making detection and analysis more challenging.
10. The modular nature of Munchkin, with various Python scripts and unique configurations, allows for customization based on specific targets or campaigns.
11. BlackCat has evolved from its predecessors and continues to introduce advanced features, such as intermittent encryption, data leak API, Impacket and Remcom embedding, support for custom credentials, signed kernel drivers, and upgrades to the data exfiltration tool.
12. Notable victims of BlackCat in 2023 include the Florida Circuit Court, MGM Resorts, Motel One, Seiko, Estee Lauder, HWL Ebsworth, Western Digital, and Constellation Software.

Full Article