A new ransomware operation has been targeting Windows and Linux systems with a combination of payloads relying on leaked LockBit and Babuk code and custom-developed tools.
Researchers with Symantec said the threat actor behind the campaign, Blacktail, hasn’t been linked to any existing cybercrime group. The group’s recent campaign, called Buhti, first was publicly exposed in February when security researchers found it targeting Linux systems. Symantec researchers in a Thursday analysis found that the group was also targeting Windows systems and leveraging a new set of vulnerabilities for initial access.
“While the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail’s general competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered vulnerabilities, suggests that it is not to be underestimated,” said researchers with Symantec in their Thursday analysis.
The group has been exploiting vulnerabilities soon after they are disclosed, including a flaw in IBM’s Aspera Faspex file exchange application (CVE-2022-47986) and, more recently, a known bug in the popular PaperCut print management software (CVE-2023-27350) that enables bad actors to remotely execute code.
Blacktail uses a custom-developed exfiltration tool that is designed to sniff out specific file types. The information stealer malware, written in Golang, copies the files and places them into a .zip archive that the group created using an open source utility called zip.
Beyond this custom tool, however, the group has relied on rebranded, leaked payloads. For its ransomware payload, the group uses a barely modified version of the LockBit 3.0 ransomware, which was leaked online in September 2022 by a disgruntled developer. Several functionalities of the repurposed ransomware payload have been disabled, including a feature that makes a LockBit-branded .bmp file the wallpaper on victims’ Windows systems and the capability to send system information about the infected device to a command-and-control (C2) server.
The group also relies on repurposed Babuk code in its targeting of Linux machines. The source code for Babuk, which was one of the first ransomware families to target ESXi systems, was stolen and leaked in a Russian hacking forum in 2021. A recent report from SentinelLabs showed that more threat actors are adopting the leaked source code over the past year, including nine ransomware groups that have used VMware ESXi lockers based on the code.
“While Buhti came to public attention for targeting Linux machines with a payload written in Golang, analysis by Symantec of multiple Linux payloads found that they were all variants of the leaked Babuk ransomware,” said Symantec researchers. “The ransom note dropped by Linux variants was identical to that of the Windows payload; with only the payment address differing.”