Keypoints
- ALPHV (BlackCat) affiliates use targeted social engineering (phone/SMS) to obtain credentials and compromise accounts for initial access.
- Affiliates deploy legitimate remote access tools (AnyDesk, Splashtop, SimpleHelp, ScreenConnect) and tunneling tools (Plink, Ngrok) to maintain access and exfiltrate data.
- Evilginx2 is used to perform adversary-in-the-middle attacks to capture MFA tokens, session cookies, and credentials; Kerberos token generation is used for domain access.
- Actors use Cobalt Strike and Brute Ratel as beacons for command-and-control, clear logs on Exchange servers, and use cloud file services (Mega.nz, Dropbox) for data staging/exfiltration.
- Some operations exfiltrate data and extort victims without encrypting; when encryption occurs, the ransomware creates ransom notes named like RECOVER-(seven-digit extension) FILES.txt.
- The advisory provides MD5/SHA1/SHA256 hashes, domains, and IP addresses linked to ALPHV operations and recommends defensive controls including phishing-resistant MFA and application allowlisting.
MITRE Techniques
- [T1598] Phishing for Information – ALPHV affiliates use phone calls or SMS pretending to be IT/helpdesk to obtain credentials. (‘ALPHV Blackcat affiliates pose as company IT and/or helpdesk staff and use phone calls or SMS messages … to obtain credentials’)
- [T1586] Compromise Accounts – Compromised accounts are used to gain initial network access. (‘ALPHV Blackcat affiliates use compromised accounts to gain access to victims’ networks.’)
- [T1558] Steal or Forge Kerberos Tickets – Actors generate Kerberos tokens to access domain resources. (‘…use Kerberos token generation for domain access’)
- [T1557] Adversary-in-the-Middle – Use of Evilginx2 to capture MFA credentials, login credentials, and session cookies. (‘…use the open source adversary-in-the-middle attack framework Evilginx2, which allows them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies’)
- [T1555] Credentials from Password Stores – Actors obtain passwords from domain controllers, local networks, and deleted backup servers to facilitate lateral movement. (‘…obtain passwords from the domain controller, local network, and deleted backup servers to move laterally throughout the network’)
- [T1021] Remote Services – Deployment and use of legitimate remote access tools (AnyDesk, Splashtop, SimpleHelp, ScreenConnect) for remote control and administration. (‘…deploy remote access software such as AnyDesk, Mega sync, and Splashtop … SimpleHelp Remote Management tool … ScreenConnect Remote Access’)
- [T1572] Protocol Tunneling / T1090 Proxy (tunneling) – Use of tunneling tools like Plink and Ngrok to create connectivity/tunnels for C2 or remote access. (‘…use legitimate remote access and tunneling tools, such as Plink and Ngrok’)
- [T1071] Application Layer Protocol – Use of Cobalt Strike and Brute Ratel as beacons to communicate with command-and-control servers. (‘ALPHV Blackcat affiliates claim to use Brute Ratel C4 and Cobalt Strike as beacons to command and control servers’)
- [T1070.004] Clear Windows Event Logs – Actors clear logs on Exchange servers after installing on domain controllers to hide activity. (‘Once installed on the domain controller, the logs are cleared on the exchange server.’)
Indicators of Compromise
- [Domain] Command-and-control / Remote access – resources.docusong[.]com, Fisa99.screenconnect[.]com, and 3 more domains
- [IP Address] Command-and-control / actor infrastructure – 5.199.168.24, 91.92.254.193, and 6 more IPs
- [MD5 Hash] Malicious binaries – 944153fb9692634d6c70899b83676575 (ALPHV Windows Encryptor), 341d43d4d5c2e526cadd88ae8da70c1c (Anti Virus Tools Killer), and other MD5 hashes
- [SHA256 Hash] Malicious binaries – c64300cf8bacc4e42e74715edf3f8c3287a780c9c0a38b0d9675d01e7e231f16 (ALPHV Windows Encryptor), 1f5e4e2c78451623cfbf32cf517a92253b7abfe0243297c5ddf7dd1448e460d5 (Anti Virus Tools Killer)
- [SHA1 Hash] Malicious binaries – 3dd0f674526f30729bced4271e6b7eb0bb890c52 (ALPHV Windows Encryptor), d6d442e8b3b0aef856ac86391e4a57bcb93c19ad (Anti Virus Tools Killer)
- [File Name] Payloads / notes – example payloads such as 7O3cCX9YcHMV2.exe, ibmModule.dll, and ransom note pattern “RECOVER-(seven-digit extension) FILES.txt”
ALPHV/BlackCat technical summary:
ALPHV affiliates gain initial access primarily through targeted social engineering (phone/SMS) and credential compromise, then leverage compromised accounts and Kerberos token generation to obtain domain-level access. They frequently use Evilginx2 to perform adversary-in-the-middle attacks and capture MFA tokens, session cookies, and credentials, enabling persistent access despite standard MFA protections.
After access, operators install legitimate remote-access and remote-management tools (AnyDesk, Splashtop, SimpleHelp, ScreenConnect), tunneling utilities (Plink, Ngrok), and commodity beacons (Cobalt Strike, Brute Ratel) to establish command-and-control and remote administration. They harvest credentials from domain controllers and local stores, clear logs (notably on Exchange servers), stage data using cloud storage (Mega.nz, Dropbox), and either exfiltrate and extort or deploy the ALPHV encryptor (Windows and Linux variants) which leaves ransom notes named like RECOVER-(seven-digit extension) FILES.txt.
Defensive and incident-response actions emphasized include quarantining and reimaging affected hosts, rotating credentials, collecting forensic artifacts (running processes, authentication events, recent network connections), and implementing phishing-resistant MFA (FIDO/WebAuthn or PKI), application allowlisting to block unauthorized remote tools, network telemetry/EDR for lateral-movement detection, and targeted user training. Validate controls by testing defenses against the mapped ATT&CK techniques and apply the provided IOCs for detection and blocking.
Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a