Threat Research

A Bad Luck BlackCat

Securonix

BlackCat (ALPHV) is a Rust-based ransomware-as-a-service operation linked to BlackMatter and REvil lineage, notable for cross-platform samples and a sophisticated exfiltration workflow using Fendr/ExMatter. Telemetry suggests a close tie to past BlackMatter activity through tool reuse, and two notable incidents highlight cloud-resource risk and agile malware reuse across environments.
#ALPHV #BlackCat #BlackMatter #REvil #Fendr #ExMatter

Keypoints

  • BlackCat/ALPHV is a Rust-written ransomware group operating as a RaaS, targeting multiple corporate victims worldwide.
  • There is a concrete link to prior BlackMatter/REvil activity via the reuse/modification of the Fendr (ExMatter) exfiltration tool.
  • Two notable incidents show risk from shared cloud hosting and an agile pattern of malware reuse between BlackMatter and BlackCat.
  • The malware uses Windows/OS checks, collects machine identifiers (MachineGuid, UUID) for encryption key generation, and employs Windows named pipes for IPC.
  • It leverages privilege escalation (token impersonation, UAC bypass), credential dumping (Mimikatz, Nirsoft), and lateral movement (compressed PsExec).
  • Encryption relies on AES/CHACHA20 with BCryptGenRandom, appends a custom extension, and uses hard-coded credentials for propagation and privilege escalation.
  • Operational maturity is evidenced by expanded file-type exfiltration (Fendr extensions) and broader targeting across industrial environments.

MITRE Techniques

  • [T1134] Access Token – Token Impersonation – Used for privilege escalation. Quote: ‘Simple process token impersonation.’
  • [T1548.002] Bypass User Account Control – COM elevation moniker UAC Bypass. Quote: ‘COM elevation moniker UAC Bypass.’
  • [T1059.003] Windows Command Shell – Malware uses cmd.exe to execute commands. Quote: ‘Using “cmd.exe” malware executes a special command:’
  • [T1021] Remote Services – Lateral movement with a compressed PsExec tool. Quote: ‘compressed version of PsExec to spread laterally within an organization.’
  • [T1003.001] Credential Dumping – Mimikatz batch file and Nirsoft utilities used for credentials. Quote: ‘delivered a Mimikatz batch file along with executables and Nirsoft network password recovery utilities.’
  • [T1490] Inhibit System Recovery – Deletes Shadows via vssadmin to hinder recovery. Quote: ‘vssadmin.exe delete shadows /all /quiet’
  • [T1082] System Information Discovery – Checks OS version to tailor behavior. Quote: ‘The malware checks which version of the Windows operating system it’s being executed under.’
  • [T1486] Data Encrypted for Impact – Encrypts files using AES/CHACHA20; key management via BCryptGenRandom. Quote: ‘AES or CHACHA20 algorithms are used for file encryption.’
  • [T1041] Exfiltration Over C2 Channel – Uses a custom exfiltration tool (Fendr/ExMatter). Quote: ‘modified exfiltration utility that we call Fendr.’
  • [T1562.001] Impair Defenses – Kills processes and excludes files/folders to aid encryption; also terminates services. Quote: ‘the malware gets a list of services to be killed, as well as files and folders to be excluded from the encryption process, kills processes.’

Indicators of Compromise

  • [Hash] MD5 – B6B9D449C9416ABF96D21B356A41A28E
  • [Hash] SHA1 – 38fa2979382615bbee32d1f58295447c33ca4316
  • [Hash] SHA256 – be8c5d07ab6e39db28c40db20a32f47a97b7ec9f26c9003f9101a154a5a98486
  • [File name] Sample – <xxx>_alpha_x86_32_windows_encrypt_app.exe
  • [File size] 2.94 MB
  • [File extension] .doc, .docx, and other extensions used by Fendr (17146b91dfe7f3760107f8bc35f4fd71)
  • [Hash] 17146b91dfe7f3760107f8bc35f4fd71 – Fendr extensions set hash

Read more: https://securelist.com/a-bad-luck-blackcat/106254/