This development comes just over a month after Microsoft reported the discovery of a new version of the BlackCat ransomware. The attackers were found to be utilizing tools like Impacket and RemCom to conduct lateral movement and remote code execution attacks in targeted environments.
What’s the latest update?
The Munchkin utility is distributed as an ISO file, which is loaded into VirtualBox for execution.
- This ISO file contains a customized Alpine OS installation, enabling the malware to change the root password of virtual machines and execute the malware binary named “controller”.
- The “controller” malware, written in Rust, shares similarities with the BlackCat malware family.
- Its purpose is to infect specific SMB/CIFS drives, log activities in different output logs, and shut down the virtual machine once the operation is complete.
Affiliates involved in the attacks
Notably, the attackers are not only updating their tools to avoid detection, but the group’s affiliates have also been actively participating in multiple cyberattacks worldwide.
- The group claimed responsibility for targeting ten banks using the Quality Service Installation (QSI) service, disclosing that they stole approximately 5TB of sensitive data.
- The Motel One Group revealed that it fell victim to BlackCat ransomware attacks, resulting in the theft of customer data, including details of 150 credit cards.
- An affiliate of BlackCat disrupted MGM Resorts’ operations by encrypting over 100 ESXi hypervisors.
Amidst the persistent hacking activities of this ransomware group and their continuous efforts to evolve, organizations are advised to utilize the updated Indicators of Compromise (IOCs) associated with this malware to ensure their safety. Implementing a robust Threat Intelligence Platform (TIP) can also help automatically detect and mitigate such threats.