Cyble researchers describe BlackSnake, a Chaos ransomware-derived variant that integrates a clipper module to steal cryptocurrency addresses and supports affiliate-driven deployment. The malware uses language checks, process and directory discovery, registry-based persistence, and clipboard interception to maximize impact, including a pay-to-unlock scheme and a ransom note. #BlackSnake #ChaosRansomware
Keypoints
- BlackSnake is a Chaos ransomware-derived variant with an integrated clipper module targeting cryptocurrency users.
- Affiliates are recruited with a claimed 15% profit share, indicating a multi-actor distribution model.
- The malware performs locale checks to exclude Azerbaijan and Turkey (az-Latn-AZ or tr-TR) before infection.
- Persistence is achieved via a registry Run key in the Windows startup path.
- Clipboard-clipping is used to identify and replace Bitcoin wallet addresses with the attacker’s address.
- Files are encrypted with AES using a hard-coded RSA key, and a pay2unlock extension is appended with a ransom note (UNLOCK_MYFiles.txt).
MITRE Techniques
- [T1115] Clipboard Data – Clip operation intercepts and modifies clipboard content to substitute cryptocurrency addresses. Quote: “By constantly monitoring the user’s clipboard activity, the BlackSnake malware can check whether any cryptocurrency addresses are present by utilizing a hardcoded regular expression pattern for validation.”
- [T1057] Process Discovery – The malware enumerates running processes to detect duplicates and manage execution. Quote: “the malware enumerates the names of all currently running processes, retrieves the filename of the current executing assembly, and compares it with the filenames of the running processes.”
- [T1547.001] Registry Run Keys / Startup Folder – Persistence via a registry entry so the malware starts with Windows. Quote: “After confirming that there is no existing infection of itself, the ransomware creates a copy of itself in the %appdata% directory with the file name “svchost.exe” and executes the newly created process.”
- [T1082] System Information Discovery – Locale check prior to infection. Quote: “initial check to verify if the current input language of the system matches the language codes “az-Latn-AZ” or “tr-TR”.”
- [T1083] File and Directory Discovery – Enumerates files and applies an exclusion list to determine what to encrypt. Quote: “the malware enumerates all the files… checks the file path against a pre-defined list of strings, as mentioned in Figure 11. Any file path that matches these strings is then excluded from the encryption process.”
- [T1486] Data Encrypted for Impact – Encrypts files using AES after obtaining a key and appends the key to the encrypted file. Quote: “Once the malware gets the key, it encrypts all the identified files from the directory using the AES algorithm and appends the generated key (base64 encoded) to the end of the encrypted file.”
Indicators of Compromise
- [SHA-256] BlackSnake Ransomware – e4c2e0af462ebf12b716b52c681648d465f6245ec0ac12d92d909ca59662477b
- [MD5] BlackSnake Ransomware – afa9d7c88c28e9b8cca140413cfb32e4
- [SHA-1] BlackSnake – 6936af81c974d6c9e2e6eaedd4026a37135369bc
Read more: https://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/