The BlackCat ransomware was recently observed leveraging a local socket to coordinate the execution of several instances of the ransomware, which may be run with different privileges. Researchers said this newly discovered tactic, which has not been previously observed in attacks by the ransomware, helps the attackers speed up the encryption process.
In a March 17 incident, Forescout researchers observed BlackCat actors setting up a local UDP server that communicated with port 61069, a dynamic port that was likely chosen by the ransomware attackers because it is not commonly used and would be free in most targets. The ransomware leveraged the port to establish a server to listen to the requests of other instances running on the same machine.
The new tactic “helps by increasing the speed and efficiency of the encryption process,” said Daniel dos Santos, Forescout's head of research. “The several instances will encrypt different parts of the disk, thus finishing faster. At the same time, an instance launched with lower privileges can enjoy the privileges of another instance to encrypt files that the first one could not access.”
Attackers first launched several processes (i.e. instances) that ran the ransomware in the same victim machine. The first instance to be launched became a server, and the next ones became clients after they detected that a server was already running. The server instance then received messages from the other instances.
“All instances attempt to encrypt the disk but whenever a client cannot encrypt a specific folder because it lacks permissions, it will ask the server to try that by sending a message ‘TryPath,’” said dos Santos. “There are also some messages to establish a connection between client and server (‘Handshake’), check that a client is still running (‘HealthCheck’) and kill a socket (‘Shutdown’).”
“The several instances will encrypt different parts of the disk, thus finishing faster. At the same time, an instance launched with lower privileges can enjoy the privileges of another instance to encrypt files that the first one could not access.”
In the incident observed by Forescout, the ransomware adversary achieved initial access by leveraging a known SQL injection flaw (CVE-2019-7481) in an unpatched, end-of-life SonicWall Secure Remote Access 4600 device in order to harvest credentials. The attacker then downloaded and installed SonicWall’s Virtual Assist module, which is used for remote access and file transfer between technicians and customers, in order to execute code that in turn waited for a legitimate user to connect and then hijacked the existing session. The attacker then changed the password for the account and gained access to VMware ESXi servers to manually launch the ransomware attack.
The ransomware has previously targeted the ESXi platform, as it has supported Windows and Linux variants with specific capabilities for VMware ESXi hosts that were used in this attack, like stopping or deleting virtual machines and deleting snapshots.
Researchers also found an error-handling bug in the malware sample, which can prevent encryption by the ransomware of Linux targets when a dummy “esxcli” executable is created. When the malware runs with this “esxcli” binary on the system, it reaches an internal error state and finishes execution before it reaches the file encryption functionality.
“To sum it up: if a dummy esxcli binary is present on a Linux system, no file will ever be encrypted when one runs this malware… this can be a workaround to prevent file encryption by this sample for other Linux systems that don't require the presence of the legitimate esxcli binary,” said researchers.
Previously labeled as “the most sophisticated ransomware of 2021,” this latest communication tactic shows how BlackCat continues to evolve its techniques. The ransomware-as-a-service is known to have successfully infected dozens of targets using Rust, and also for using a binary payload that is specially crafted for each specific target, making detection harder. The FBI and researchers have also pointed to a connection between BlackCat and the BlackMatter (a potential partial reincarnation of the DarkSide group) ransomware groups.
BlackCat (also known as ALPHV) first appeared in late November and has since then been attacking targets in multiple countries, including the U.S., Australia and India. Last week, the FBI sent out a flash alert saying that the ransomware has compromised at least 60 entities globally as of March.