BlackCat Climbs the Summit With a New Tactic

MITRE Techniques

• [T1497] Virtualization/Sandbox Evasion – Used to run malware inside a VM to circumvent host security; “The Munchkin utility is delivered as an ISO file, which is loaded in a newly installed instance of the VirtualBox virtualization product.”
• [T1021.002] SMB/Windows Admin Shares – Lateral movement by propagating payloads to remote SMB/CIFS shares; “to propagate the BlackCat payload to remote machines and shares on a victim organization network.”
• [T1027] Obfuscated/Encrypted Files and Information – Strings are decrypted at runtime via a single-byte XOR; “the controller will initially decrypt numerous strings using a unique single-byte XOR operation.”
• [T1098] Modify Existing Account – Root password changed on the VM to a threat actor-chosen value; “changes the root password of the VM to one chosen by the threat actors.”
• [T1003] Credential Dumping – Pack includes tools like Mimikatz and numerous Python scripts used for password dumping and credential access; “Attackers can use many of the Python scripts above for lateral movement, password dumping and further execution of malware on the victim network.”
• [T1562] Impair Defenses – Attempts to disable discovery and security measures; “DISABLE_NETWORK” / “Disable automatic network discovery” described in the config.