Threat Research

From BlackMatter to BlackCat: Analyzing two attacks from one affiliate

Securonix

Talos analyzes how BlackCat/ALPHV operates as a growing ransomware-as-a-service with affiliates linked to prior groups like BlackMatter and DarkSide, outlining how the affiliates evolved the operation and used shared infrastructure. The piece details attack flows, techniques, and IOCs from two December/September attacks to illustrate how affiliates prepare environments before encryption and how defenders can detect early-stage activity before data is encrypted. #BlackCat #ALPHV #BlackMatter #DarkSide #RaaS #Talos #GOST #KaliLinux #ADRecon #SoftPerfectNetworkScanner

Keypoints

  • BlackCat/ALPHV is a ransomware-as-a-service with affiliates, with ties to BlackMatter/DarkSide suspected but not a simple rebranding.
  • Talos links a BlackMatter affiliate as an early adopter of BlackCat, indicating shared tools and possibly overlapping infrastructure/C2.
  • The attack flow generally follows initial access, discovery/exfiltration, preparation, and encryption, with over 15 days from intrusion to encryption in the cases studied.
  • Affiliates rely on persistence, defense evasion, and credential access techniques (e.g., reverse-SSH, ADS, registry keys, LSASS dumping) to establish and maintain footholds.
  • Lateral movement uses WMIExec, WinRM, Remote Desktop, PsExec/RemCom, and SSH tunnels to reach more systems and deploy encryption across the network.
  • Impact centers on domain-wide encryption via NETLOGON shares and Group Policy deployment, with attackers dropping and executing attack scripts to enable broad ransomware execution.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Initial access possibly via exploited Microsoft Exchange vulnerabilities. Quote: “There was evidence in the BlackMatter attack that the actor established initial access via the possible exploitation of Microsoft Exchange vulnerabilities.”
  • [T1021.006] Remote Services – WinRM – PowerShell commands executed on remote machines via WinRM. Quote: “WinRM allows attackers to use PowerShell to execute commands on remote machines.”
  • [T1112] Modify Registry – Persistence via registry keys (image file execution option debugger) to ensure persistent execution. Quote: “The “image file execution option” debugger registry key was another way to ensure the malicious file would be persistently executed on the system: … reg.exe add hklmsoftwaremicrosoftwindows ntcurrentversionimage file execution optionstaskmgr.exe /v debugger /t reg_sz /d c:system”
  • [T1053.005] Scheduled Task – Persistence via scheduled tasks (schtasks) to run hidden tasks and maintain footholds. Quote: “c:windowssystem32schtasks.exe /create /ru system /sc minute /tn microsoftwindowswininetcachetask /tr c::cachetask -b /f”
  • [T1564.001] Hide Artifacts – Alternate Data Streams to conceal data. Quote: “hidden by writing to an alternate data stream (ADS) of the C: directory using the following command: … -stream ‘cachetask’ ”
  • [T1003.001] Credential Dumping – LSASS memory dumped with Procdump/Dumpert to harvest credentials. Quote: “dumping the LSASS process memory and extracting credentials with Microsoft Sysinternals Procdump and Dumpert”
  • [T1562.001] Impair Defenses – Logs disabled to avoid detection; anti-rootkit tools used. Quote: “logs were disabled on several systems to avoid detection. …”
  • [T1047] Windows Management Instrumentation – WMIExec used to gain remote shell on WMI-enabled systems. Quote: “Impacket’s WMIExec provides a shell on remote systems that have the WMI service exposed.”
  • [T1021.001] Remote Services – PsExec/RemCom for lateral movement; open-source RemCom used similarly to PsExec. Quote: “PsEexec on both attacks and RemCom — an open-source version of psexec — during the BlackMatter attack.”
  • [T1572] Protocol Tunneling – SSH tunnels used for C2/reverse shells; Kali Linux usage hints at command/control via tunneling. Quote: “The attackers used reverse-ssh tunnels to set up reverse SSH tunnels and provide reverse shells to the attacker.”
  • [T1046] Network Service Scanning – Discovery using SoftPerfect Network Scanner to map network infrastructure. Quote: “network scanning and reconnaissance using softperfect network scanner.”
  • [T1018/T1069] Active Directory Discovery – ADRecon used to collect information from Active Directory and key servers. Quote: “ADRecon was also used to collect information from Active Directory and its key servers.”
  • [T1486] Data Encrypted for Impact – Encryption across domain via NETLOGON shares; domain-wide encryption. Quote: “When encryption begins, the ransomware file named .exe … was dropped on the domain servers inside the SYSVOL folder, making it accessible on the NETLOGON network share.”

Indicators of Compromise

  • [Domain] windows[.]menu – Domain used for malicious activity
  • [IP] 52.149.228[.]45, 20.46.245[.]56 – C2 or hosting infrastructure
  • [Hash] D97088F9795F278BB6B732D57F42CBD725A6139AFE13E31AE832A5C947099676, 060CA3F63F38B7804420729CDE3FC30D126C2A0FFC0104B8E698F78EDAB96767 – BlackCat/ALPHV related binaries
  • [Hash] 706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D – BlackMatter/ALPHV related binary
  • [Hash] 47AFFAED55D85E1EBE29CF6784DA7E9CDBD86020DF8B2E9162A0B1A67F092DCD – Reverse-ssh binary
  • [Hash] 65DBAFE9963CB15CE3406DE50E007408DE7D12C98668DE5DA10386693AA6CD73 – Stealer tool binary
  • [File name] Apply.ps1, defender.vbs – Scripts dropped/used during operation

Read more: https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html